2019-07-04 00:00:57 +08:00
|
|
|
-- Create user and enable OAuth event trigger
|
|
|
|
\set QUIET on
|
|
|
|
SET client_min_messages TO error;
|
2019-10-24 17:33:07 +08:00
|
|
|
|
|
|
|
-- The permission error changed between pre PG11 and post 11 (before everythin "relation", now it's "view", "table" and so on
|
|
|
|
CREATE OR REPLACE FUNCTION catch_permission_error(query text)
|
|
|
|
RETURNS bool
|
|
|
|
AS $$
|
|
|
|
BEGIN
|
|
|
|
EXECUTE query;
|
|
|
|
RETURN FALSE;
|
|
|
|
EXCEPTION
|
|
|
|
WHEN insufficient_privilege THEN
|
|
|
|
RETURN TRUE;
|
|
|
|
WHEN OTHERS THEN
|
|
|
|
RAISE WARNING 'Exception %', sqlstate;
|
|
|
|
RETURN FALSE;
|
|
|
|
END
|
|
|
|
$$ LANGUAGE 'plpgsql';
|
|
|
|
|
2019-07-17 15:46:49 +08:00
|
|
|
DROP ROLE IF EXISTS "creator_role";
|
2019-07-04 00:00:57 +08:00
|
|
|
CREATE ROLE "creator_role" LOGIN;
|
2019-07-17 15:46:49 +08:00
|
|
|
DROP ROLE IF EXISTS "ownership_role";
|
2019-07-04 00:00:57 +08:00
|
|
|
CREATE ROLE "ownership_role" LOGIN;
|
|
|
|
GRANT ALL ON SCHEMA cartodb TO "creator_role";
|
2019-07-04 19:46:53 +08:00
|
|
|
SELECT CDB_Conf_SetConf('api_keys_creator_role', '{"username": "creator_role", "permissions":[]}');
|
2019-07-04 00:00:57 +08:00
|
|
|
SET SESSION AUTHORIZATION "creator_role";
|
|
|
|
SET client_min_messages TO notice;
|
|
|
|
\set QUIET off
|
|
|
|
|
2019-07-04 19:46:53 +08:00
|
|
|
-- First part without event trigger
|
|
|
|
|
2019-07-04 00:00:57 +08:00
|
|
|
CREATE TABLE test(id INT);
|
|
|
|
INSERT INTO test VALUES(1);
|
2019-07-04 19:46:53 +08:00
|
|
|
CREATE TABLE test_tablesas AS SELECT * FROM test;
|
|
|
|
CREATE VIEW test_view AS SELECT * FROM test;
|
|
|
|
CREATE MATERIALIZED VIEW test_mview AS SELECT * FROM test;
|
|
|
|
SELECT * INTO test_selectinto FROM test;
|
2019-10-25 17:50:03 +08:00
|
|
|
CREATE FUNCTION test_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
2019-07-04 19:46:53 +08:00
|
|
|
|
2019-07-04 00:00:57 +08:00
|
|
|
SELECT * FROM test;
|
2019-07-04 19:46:53 +08:00
|
|
|
SELECT * FROM test_tablesas;
|
|
|
|
SELECT * FROM test_view;
|
|
|
|
SELECT * FROM test_mview;
|
|
|
|
SELECT * FROM test_selectinto;
|
2019-10-25 18:26:21 +08:00
|
|
|
SELECT public.test_function();
|
2019-07-04 00:00:57 +08:00
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
SET SESSION AUTHORIZATION "ownership_role";
|
|
|
|
\set QUIET off
|
|
|
|
|
2019-10-24 17:33:07 +08:00
|
|
|
SELECT 'denied_table', catch_permission_error($$SELECT * FROM test;$$);
|
|
|
|
SELECT 'denied_tableas', catch_permission_error($$SELECT * FROM test_tablesas;$$);
|
|
|
|
SELECT 'denied_view', catch_permission_error($$SELECT * FROM test_view;$$);
|
|
|
|
SELECT 'denied_mview', catch_permission_error($$SELECT * FROM test_mview;$$);
|
|
|
|
SELECT 'denied_selectinto', catch_permission_error($$SELECT * FROM test_selectinto;$$);
|
2019-10-25 18:39:30 +08:00
|
|
|
SELECT test_function();
|
|
|
|
SELECT public.test_function();
|
2019-10-25 18:26:21 +08:00
|
|
|
SELECT 'denied_function', catch_permission_error($$SELECT public.test_function();$$);
|
2019-07-04 19:46:53 +08:00
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
SET SESSION AUTHORIZATION "creator_role";
|
|
|
|
\set QUIET off
|
|
|
|
|
|
|
|
DROP TABLE test_tablesas;
|
|
|
|
DROP VIEW test_view;
|
|
|
|
DROP MATERIALIZED VIEW test_mview;
|
|
|
|
DROP TABLE test_selectinto;
|
|
|
|
DROP TABLE test;
|
2019-10-25 17:34:59 +08:00
|
|
|
DROP FUNCTION test_function;
|
2019-07-04 19:46:53 +08:00
|
|
|
|
|
|
|
-- Second part with event trigger but without ownership_role_name in cdb_conf
|
2019-07-04 00:00:57 +08:00
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
SET SESSION AUTHORIZATION postgres;
|
|
|
|
SELECT CDB_EnableOAuthReassignTablesTrigger();
|
|
|
|
SET SESSION AUTHORIZATION "creator_role";
|
|
|
|
\set QUIET off
|
|
|
|
|
|
|
|
CREATE TABLE test2(id INT);
|
|
|
|
INSERT INTO test2 VALUES(1);
|
2019-07-04 19:46:53 +08:00
|
|
|
CREATE TABLE test2_tablesas AS SELECT * FROM test2;
|
|
|
|
CREATE VIEW test2_view AS SELECT * FROM test2;
|
|
|
|
CREATE MATERIALIZED VIEW test2_mview AS SELECT * FROM test2;
|
|
|
|
SELECT * INTO test2_selectinto FROM test2;
|
2019-10-25 17:50:03 +08:00
|
|
|
CREATE FUNCTION test2_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
2019-07-04 19:46:53 +08:00
|
|
|
|
2019-07-04 00:00:57 +08:00
|
|
|
SELECT * FROM test2;
|
2019-07-04 19:46:53 +08:00
|
|
|
SELECT * FROM test2_tablesas;
|
|
|
|
SELECT * FROM test2_view;
|
|
|
|
SELECT * FROM test2_mview;
|
|
|
|
SELECT * FROM test2_selectinto;
|
2019-10-25 18:26:21 +08:00
|
|
|
SELECT public.test2_function();
|
2019-07-04 00:00:57 +08:00
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
SET SESSION AUTHORIZATION "ownership_role";
|
|
|
|
\set QUIET off
|
|
|
|
|
2019-10-24 17:33:07 +08:00
|
|
|
SELECT 'denied_table2', catch_permission_error($$SELECT * FROM test2;$$);
|
|
|
|
SELECT 'denied_tableas2', catch_permission_error($$SELECT * FROM test2_tablesas;$$);
|
|
|
|
SELECT 'denied_view2', catch_permission_error($$SELECT * FROM test2_view;$$);
|
|
|
|
SELECT 'denied_mview2', catch_permission_error($$SELECT * FROM test2_mview;$$);
|
|
|
|
SELECT 'denied_selectinto2', catch_permission_error($$SELECT * FROM test2_selectinto;$$);
|
2019-10-25 18:26:21 +08:00
|
|
|
SELECT 'denied_function2', catch_permission_error($$SELECT public.test2_function();$$);
|
2019-07-04 19:46:53 +08:00
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
SET SESSION AUTHORIZATION "creator_role";
|
|
|
|
\set QUIET off
|
|
|
|
|
|
|
|
DROP TABLE test2_tablesas;
|
|
|
|
DROP VIEW test2_view;
|
|
|
|
DROP MATERIALIZED VIEW test2_mview;
|
|
|
|
DROP TABLE test2_selectinto;
|
|
|
|
DROP TABLE test2;
|
2019-10-25 17:34:59 +08:00
|
|
|
DROP FUNCTION test2_function;
|
2019-07-04 19:46:53 +08:00
|
|
|
|
|
|
|
-- Third part with event trigger but with empty ownership_role_name in cdb_conf
|
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
SET SESSION AUTHORIZATION postgres;
|
|
|
|
SELECT CDB_Conf_SetConf('api_keys_creator_role', '{"username": "creator_role", "permissions":[], "ownership_role_name": ""}');
|
|
|
|
SET SESSION AUTHORIZATION "creator_role";
|
|
|
|
\set QUIET off
|
|
|
|
|
|
|
|
CREATE TABLE test3(id INT);
|
|
|
|
INSERT INTO test3 VALUES(1);
|
|
|
|
CREATE TABLE test3_tablesas AS SELECT * FROM test3;
|
|
|
|
CREATE VIEW test3_view AS SELECT * FROM test3;
|
|
|
|
CREATE MATERIALIZED VIEW test3_mview AS SELECT * FROM test3;
|
|
|
|
SELECT * INTO test3_selectinto FROM test3;
|
2019-10-25 17:50:03 +08:00
|
|
|
CREATE FUNCTION test3_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
2019-07-04 19:46:53 +08:00
|
|
|
|
|
|
|
SELECT * FROM test3;
|
|
|
|
SELECT * FROM test3_tablesas;
|
|
|
|
SELECT * FROM test3_view;
|
|
|
|
SELECT * FROM test3_mview;
|
|
|
|
SELECT * FROM test3_selectinto;
|
2019-10-25 18:26:21 +08:00
|
|
|
SELECT public.test3_function();
|
2019-07-04 19:46:53 +08:00
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
SET SESSION AUTHORIZATION "ownership_role";
|
|
|
|
\set QUIET off
|
|
|
|
|
2019-10-24 17:33:07 +08:00
|
|
|
SELECT 'denied_table3', catch_permission_error($$SELECT * FROM test3;$$);
|
|
|
|
SELECT 'denied_tableas3', catch_permission_error($$SELECT * FROM test3_tablesas;$$);
|
|
|
|
SELECT 'denied_view3', catch_permission_error($$SELECT * FROM test3_view;$$);
|
|
|
|
SELECT 'denied_mview3', catch_permission_error($$SELECT * FROM test3_mview;$$);
|
|
|
|
SELECT 'denied_selectinto3', catch_permission_error($$SELECT * FROM test3_selectinto;$$);
|
2019-10-25 18:26:21 +08:00
|
|
|
SELECT 'denied_function3', catch_permission_error($$SELECT public.test3_function();$$);
|
2019-07-04 19:46:53 +08:00
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
SET SESSION AUTHORIZATION "creator_role";
|
|
|
|
\set QUIET off
|
|
|
|
|
|
|
|
DROP TABLE test3_tablesas;
|
|
|
|
DROP VIEW test3_view;
|
|
|
|
DROP MATERIALIZED VIEW test3_mview;
|
|
|
|
DROP TABLE test3_selectinto;
|
|
|
|
DROP TABLE test3;
|
2019-10-25 17:34:59 +08:00
|
|
|
DROP FUNCTION test3_function;
|
2019-07-04 19:46:53 +08:00
|
|
|
|
|
|
|
-- Fourth part with the event trigger active and configured
|
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
SET SESSION AUTHORIZATION postgres;
|
|
|
|
SELECT CDB_Conf_SetConf('api_keys_creator_role', '{"username": "creator_role", "permissions":[], "ownership_role_name": "ownership_role"}');
|
|
|
|
SET SESSION AUTHORIZATION "creator_role";
|
|
|
|
\set QUIET off
|
|
|
|
|
|
|
|
CREATE TABLE test4(id INT);
|
|
|
|
INSERT INTO test4 VALUES(1);
|
|
|
|
CREATE TABLE test4_tablesas AS SELECT * FROM test4;
|
|
|
|
CREATE VIEW test4_view AS SELECT * FROM test4;
|
|
|
|
CREATE MATERIALIZED VIEW test4_mview AS SELECT * FROM test4;
|
|
|
|
SELECT * INTO test4_selectinto FROM test4;
|
2019-10-25 17:50:03 +08:00
|
|
|
CREATE FUNCTION test4_function() RETURNS integer AS $$ BEGIN RETURN 1; END; $$ LANGUAGE PLPGSQL;
|
2019-07-04 19:46:53 +08:00
|
|
|
|
|
|
|
SELECT * FROM test4;
|
|
|
|
SELECT * FROM test4_tablesas;
|
|
|
|
SELECT * FROM test4_view;
|
|
|
|
SELECT * FROM test4_mview;
|
|
|
|
SELECT * FROM test4_selectinto;
|
2019-10-25 18:26:21 +08:00
|
|
|
SELECT public.test4_function();
|
2019-07-04 19:46:53 +08:00
|
|
|
|
|
|
|
\set QUIET on
|
|
|
|
SET SESSION AUTHORIZATION "ownership_role";
|
|
|
|
\set QUIET off
|
|
|
|
|
|
|
|
SELECT * FROM test4;
|
|
|
|
SELECT * FROM test4_tablesas;
|
|
|
|
SELECT * FROM test4_view;
|
|
|
|
SELECT * FROM test4_mview;
|
|
|
|
SELECT * FROM test4_selectinto;
|
2019-10-25 18:26:21 +08:00
|
|
|
SELECT public.test4_function();
|
2019-07-04 19:46:53 +08:00
|
|
|
|
|
|
|
-- Ownership role drops the tables
|
|
|
|
DROP TABLE test4_tablesas;
|
|
|
|
DROP VIEW test4_view;
|
|
|
|
DROP MATERIALIZED VIEW test4_mview;
|
|
|
|
DROP TABLE test4_selectinto;
|
|
|
|
DROP TABLE test4;
|
2019-10-25 17:34:59 +08:00
|
|
|
DROP FUNCTION test4_function;
|
2019-07-04 00:00:57 +08:00
|
|
|
|
|
|
|
-- Cleanup
|
|
|
|
\set QUIET on
|
|
|
|
SET SESSION AUTHORIZATION postgres;
|
|
|
|
SELECT CDB_DisableOAuthReassignTablesTrigger();
|
|
|
|
DROP ROLE "ownership_role";
|
|
|
|
REVOKE ALL ON SCHEMA cartodb FROM "creator_role";
|
|
|
|
DROP ROLE "creator_role";
|
|
|
|
DELETE FROM cdb_conf WHERE key = 'api_keys_creator_role';
|
2019-10-24 17:33:07 +08:00
|
|
|
DROP FUNCTION catch_permission_error(text);
|
2019-07-04 00:00:57 +08:00
|
|
|
\set QUIET off
|