| LOAD 'test_rls_hooks'; |
| |
| CREATE TABLE rls_test_permissive ( |
| username name, |
| supervisor name, |
| data integer |
| ); |
| |
| -- initial test data |
| INSERT INTO rls_test_permissive VALUES ('regress_r1','regress_s1',4); |
| INSERT INTO rls_test_permissive VALUES ('regress_r2','regress_s2',5); |
| INSERT INTO rls_test_permissive VALUES ('regress_r3','regress_s3',6); |
| |
| CREATE TABLE rls_test_restrictive ( |
| username name, |
| supervisor name, |
| data integer |
| ); |
| |
| -- At least one permissive policy must exist, otherwise |
| -- the default deny policy will be applied. For |
| -- testing the only-restrictive-policies from the hook, |
| -- create a simple 'allow all' policy. |
| CREATE POLICY p1 ON rls_test_restrictive USING (true); |
| |
| -- initial test data |
| INSERT INTO rls_test_restrictive VALUES ('regress_r1','regress_s1',1); |
| INSERT INTO rls_test_restrictive VALUES ('regress_r2','regress_s2',2); |
| INSERT INTO rls_test_restrictive VALUES ('regress_r3','regress_s3',3); |
| |
| CREATE TABLE rls_test_both ( |
| username name, |
| supervisor name, |
| data integer |
| ); |
| |
| -- initial test data |
| INSERT INTO rls_test_both VALUES ('regress_r1','regress_s1',7); |
| INSERT INTO rls_test_both VALUES ('regress_r2','regress_s2',8); |
| INSERT INTO rls_test_both VALUES ('regress_r3','regress_s3',9); |
| |
| ALTER TABLE rls_test_permissive ENABLE ROW LEVEL SECURITY; |
| ALTER TABLE rls_test_restrictive ENABLE ROW LEVEL SECURITY; |
| ALTER TABLE rls_test_both ENABLE ROW LEVEL SECURITY; |
| |
| CREATE ROLE regress_r1; |
| CREATE ROLE regress_s1; |
| |
| GRANT SELECT,INSERT ON rls_test_permissive TO regress_r1; |
| GRANT SELECT,INSERT ON rls_test_restrictive TO regress_r1; |
| GRANT SELECT,INSERT ON rls_test_both TO regress_r1; |
| |
| GRANT SELECT,INSERT ON rls_test_permissive TO regress_s1; |
| GRANT SELECT,INSERT ON rls_test_restrictive TO regress_s1; |
| GRANT SELECT,INSERT ON rls_test_both TO regress_s1; |
| |
| SET ROLE regress_r1; |
| |
| -- With only the hook's policies, permissive |
| -- hook's policy is current_user = username |
| EXPLAIN (costs off) SELECT * FROM rls_test_permissive; |
| |
| SELECT * FROM rls_test_permissive; |
| |
| -- success |
| INSERT INTO rls_test_permissive VALUES ('regress_r1','regress_s1',10); |
| |
| -- failure |
| INSERT INTO rls_test_permissive VALUES ('regress_r4','regress_s4',10); |
| |
| SET ROLE regress_s1; |
| |
| -- With only the hook's policies, restrictive |
| -- hook's policy is current_user = supervisor |
| EXPLAIN (costs off) SELECT * FROM rls_test_restrictive; |
| |
| SELECT * FROM rls_test_restrictive; |
| |
| -- success |
| INSERT INTO rls_test_restrictive VALUES ('regress_r1','regress_s1',10); |
| |
| -- failure |
| INSERT INTO rls_test_restrictive VALUES ('regress_r4','regress_s4',10); |
| |
| SET ROLE regress_s1; |
| |
| -- With only the hook's policies, both |
| -- permissive hook's policy is current_user = username |
| -- restrictive hook's policy is current_user = superuser |
| -- combined with AND, results in nothing being allowed |
| EXPLAIN (costs off) SELECT * FROM rls_test_both; |
| |
| SELECT * FROM rls_test_both; |
| |
| -- failure |
| INSERT INTO rls_test_both VALUES ('regress_r1','regress_s1',10); |
| |
| -- failure |
| INSERT INTO rls_test_both VALUES ('regress_r4','regress_s1',10); |
| |
| -- failure |
| INSERT INTO rls_test_both VALUES ('regress_r4','regress_s4',10); |
| |
| RESET ROLE; |
| |
| -- Create "internal" policies, to check that the policies from |
| -- the hooks are combined correctly. |
| CREATE POLICY p1 ON rls_test_permissive USING (data % 2 = 0); |
| |
| -- Remove the original allow-all policy |
| DROP POLICY p1 ON rls_test_restrictive; |
| CREATE POLICY p1 ON rls_test_restrictive USING (data % 2 = 0); |
| |
| CREATE POLICY p1 ON rls_test_both USING (data % 2 = 0); |
| |
| SET ROLE regress_r1; |
| |
| -- With both internal and hook policies, permissive |
| EXPLAIN (costs off) SELECT * FROM rls_test_permissive; |
| |
| SELECT * FROM rls_test_permissive; |
| |
| -- success |
| INSERT INTO rls_test_permissive VALUES ('regress_r1','regress_s1',7); |
| |
| -- success |
| INSERT INTO rls_test_permissive VALUES ('regress_r3','regress_s3',10); |
| |
| -- failure |
| INSERT INTO rls_test_permissive VALUES ('regress_r4','regress_s4',7); |
| |
| SET ROLE regress_s1; |
| |
| -- With both internal and hook policies, restrictive |
| EXPLAIN (costs off) SELECT * FROM rls_test_restrictive; |
| |
| SELECT * FROM rls_test_restrictive; |
| |
| -- success |
| INSERT INTO rls_test_restrictive VALUES ('regress_r1','regress_s1',8); |
| |
| -- failure |
| INSERT INTO rls_test_restrictive VALUES ('regress_r3','regress_s3',10); |
| |
| -- failure |
| INSERT INTO rls_test_restrictive VALUES ('regress_r1','regress_s1',7); |
| |
| -- failure |
| INSERT INTO rls_test_restrictive VALUES ('regress_r4','regress_s4',7); |
| |
| -- With both internal and hook policies, both permissive |
| -- and restrictive hook policies |
| EXPLAIN (costs off) SELECT * FROM rls_test_both; |
| |
| SELECT * FROM rls_test_both; |
| |
| -- success |
| INSERT INTO rls_test_both VALUES ('regress_r1','regress_s1',8); |
| |
| -- failure |
| INSERT INTO rls_test_both VALUES ('regress_r3','regress_s3',10); |
| |
| -- failure |
| INSERT INTO rls_test_both VALUES ('regress_r1','regress_s1',7); |
| |
| -- failure |
| INSERT INTO rls_test_both VALUES ('regress_r4','regress_s4',7); |
| |
| RESET ROLE; |
| |
| DROP TABLE rls_test_restrictive; |
| DROP TABLE rls_test_permissive; |
| DROP TABLE rls_test_both; |
| |
| DROP ROLE regress_r1; |
| DROP ROLE regress_s1; |
