blob: d39ce88aee93a2f64071df5288077aaef8169a13 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
--
-- Test for facilities of security label
--
LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
-- initial setups
SET client_min_messages TO 'warning';
DROP ROLE IF EXISTS dummy_seclabel_user1;
DROP ROLE IF EXISTS dummy_seclabel_user2;
DROP TABLE IF EXISTS dummy_seclabel_tbl1;
DROP TABLE IF EXISTS dummy_seclabel_tbl2;
DROP TABLE IF EXISTS dummy_seclabel_tbl3;
CREATE USER dummy_seclabel_user1 WITH CREATEROLE;
CREATE USER dummy_seclabel_user2;
CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
CREATE FUNCTION dummy_seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
CREATE DOMAIN dummy_seclabel_domain AS text;
ALTER TABLE dummy_seclabel_tbl1 OWNER TO dummy_seclabel_user1;
ALTER TABLE dummy_seclabel_tbl2 OWNER TO dummy_seclabel_user2;
RESET client_min_messages;
--
-- Test of SECURITY LABEL statement with a plugin
--
SET SESSION AUTHORIZATION dummy_seclabel_user1;
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- OK
SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified'; -- OK
SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified'; -- fail
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...'; -- fail
SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- OK
SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- fail
SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret'; -- fail (not superuser)
SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified'; -- fail (not found)
SET SESSION AUTHORIZATION dummy_seclabel_user2;
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- fail
SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified'; -- OK
--
-- Test for shared database object
--
SET SESSION AUTHORIZATION dummy_seclabel_user1;
SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'classified'; -- OK
SECURITY LABEL ON ROLE dummy_seclabel_user1 IS '...invalid label...'; -- fail
SECURITY LABEL FOR 'dummy' ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- OK
SECURITY LABEL FOR 'unknown_seclabel' ON ROLE dummy_seclabel_user1 IS 'unclassified'; -- fail
SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'secret'; -- fail (not superuser)
SECURITY LABEL ON ROLE dummy_seclabel_user3 IS 'unclassified'; -- fail (not found)
SET SESSION AUTHORIZATION dummy_seclabel_user2;
SECURITY LABEL ON ROLE dummy_seclabel_user2 IS 'unclassified'; -- fail (not privileged)
RESET SESSION AUTHORIZATION;
--
-- Test for various types of object
--
RESET SESSION AUTHORIZATION;
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'top secret'; -- OK
SECURITY LABEL ON VIEW dummy_seclabel_view1 IS 'classified'; -- OK
SECURITY LABEL ON FUNCTION dummy_seclabel_four() IS 'classified'; -- OK
SECURITY LABEL ON DOMAIN dummy_seclabel_domain IS 'classified'; -- OK
CREATE SCHEMA dummy_seclabel_test;
SECURITY LABEL ON SCHEMA dummy_seclabel_test IS 'unclassified'; -- OK
SELECT objtype, objname, provider, label FROM pg_seclabels
ORDER BY objtype, objname;
|
