sharpetronics/PostgreSQL
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-05-31 00:01:57 -04:00
Code Issues Projects Releases Wiki Activity

PG-1517 - Automate testcase for (#243)

Browse Source 
PG-1473 - Executing pg_tde_verify_principal_key() must require key
viewer permission.
This commit is contained in:
Mohit Joshi 2025-04-22 14:49:45 +05:30 committed by GitHub
parent 607cf9397d
commit 54cd79c81e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 90 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
contrib/pg_tde/expected/access_control.out
View File

@ -2,10 +2,38 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
CREATE USER regress_pg_tde_access_control;
SET ROLE regress_pg_tde_access_control;
-- should throw access denied
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
ERROR: permission denied for function pg_tde_add_database_key_provider_file
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
ERROR: permission denied for function pg_tde_set_key_using_database_key_provider
SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
ERROR: must be superuser to modify global key providers
SELECT pg_tde_set_key_using_global_key_provider('test-db-key', 'global-file-provider');
ERROR: must be superuser to access global key providers
SELECT pg_tde_set_server_key_using_global_key_provider('wal-key','global-file-provider');
ERROR: must be superuser to access global key providers
SELECT pg_tde_set_default_key_using_global_key_provider('def-key', 'global-file-provider');
ERROR: must be superuser to access global key providers
SELECT pg_tde_delete_database_key_provider('local-file-provider');
ERROR: permission denied for function pg_tde_delete_database_key_provider
SELECT pg_tde_delete_global_key_provider('global-file-provider');
ERROR: must be superuser to modify global key providers
SELECT pg_tde_list_all_database_key_providers();
ERROR: permission denied for function pg_tde_list_all_database_key_providers
SELECT pg_tde_list_all_global_key_providers();
ERROR: permission denied for function pg_tde_list_all_global_key_providers
SELECT pg_tde_key_info();
ERROR: permission denied for function pg_tde_key_info
SELECT pg_tde_server_key_info();
ERROR: permission denied for function pg_tde_server_key_info
SELECT pg_tde_default_key_info();
ERROR: permission denied for function pg_tde_default_key_info
SELECT pg_tde_verify_key();
ERROR: permission denied for function pg_tde_verify_key
SELECT pg_tde_verify_server_key();
ERROR: permission denied for function pg_tde_verify_server_key
SELECT pg_tde_verify_default_key();
ERROR: permission denied for function pg_tde_verify_default_key
RESET ROLE;
SELECT pg_tde_grant_database_key_management_to_role('regress_pg_tde_access_control');
pg_tde_grant_database_key_management_to_role
@ -21,42 +49,48 @@ SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control');
SET ROLE regress_pg_tde_access_control;
-- should now be allowed
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
pg_tde_add_database_key_provider_file
---------------------------------------
1
(1 row)
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
pg_tde_set_key_using_database_key_provider
--------------------------------------------
(1 row)
SELECT * FROM pg_tde_list_all_database_key_providers();
id | provider_name | provider_type | options
----+---------------+---------------+------------------------------------------------------------
1 | file-vault | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
id | provider_name | provider_type | options
----+---------------------+---------------+------------------------------------------------------------
1 | local-file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
(1 row)
SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
key_name | key_provider_name | key_provider_id
-------------+-------------------+-----------------
test-db-key | file-vault | 1
key_name | key_provider_name | key_provider_id
-------------+---------------------+-----------------
test-db-key | local-file-provider | 1
(1 row)
SELECT pg_tde_verify_key();
pg_tde_verify_key
-------------------
(1 row)
-- only superuser
SELECT pg_tde_add_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
ERROR: must be superuser to modify global key providers
SELECT pg_tde_change_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_change_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
ERROR: must be superuser to modify global key providers
SELECT pg_tde_delete_global_key_provider('file-vault');
SELECT pg_tde_delete_global_key_provider('global-file-provider');
ERROR: must be superuser to modify global key providers
SELECT pg_tde_set_key_using_global_key_provider('key1', 'file-vault');
SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider');
ERROR: must be superuser to access global key providers
SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'file-vault');
SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider');
ERROR: must be superuser to access global key providers
SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'file-vault');
SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider');
ERROR: must be superuser to access global key providers
RESET ROLE;
SELECT pg_tde_revoke_key_viewer_from_role('regress_pg_tde_access_control');
@ -71,5 +105,15 @@ SELECT * FROM pg_tde_list_all_database_key_providers();
ERROR: permission denied for function pg_tde_list_all_database_key_providers
SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
ERROR: permission denied for function pg_tde_key_info
SELECT pg_tde_verify_key();
ERROR: permission denied for function pg_tde_verify_key
SELECT pg_tde_server_key_info();
ERROR: permission denied for function pg_tde_server_key_info
SELECT pg_tde_default_key_info();
ERROR: permission denied for function pg_tde_default_key_info
SELECT pg_tde_verify_server_key();
ERROR: permission denied for function pg_tde_verify_server_key
SELECT pg_tde_verify_default_key();
ERROR: permission denied for function pg_tde_verify_default_key
RESET ROLE;
DROP EXTENSION pg_tde CASCADE;

40
contrib/pg_tde/sql/access_control.sql
View File

@ -5,8 +5,22 @@ CREATE USER regress_pg_tde_access_control;
SET ROLE regress_pg_tde_access_control;
-- should throw access denied
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_set_key_using_global_key_provider('test-db-key', 'global-file-provider');
SELECT pg_tde_set_server_key_using_global_key_provider('wal-key','global-file-provider');
SELECT pg_tde_set_default_key_using_global_key_provider('def-key', 'global-file-provider');
SELECT pg_tde_delete_database_key_provider('local-file-provider');
SELECT pg_tde_delete_global_key_provider('global-file-provider');
SELECT pg_tde_list_all_database_key_providers();
SELECT pg_tde_list_all_global_key_providers();
SELECT pg_tde_key_info();
SELECT pg_tde_server_key_info();
SELECT pg_tde_default_key_info();
SELECT pg_tde_verify_key();
SELECT pg_tde_verify_server_key();
SELECT pg_tde_verify_default_key();
RESET ROLE;
@ -16,18 +30,19 @@ SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control');
SET ROLE regress_pg_tde_access_control;
-- should now be allowed
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
SELECT * FROM pg_tde_list_all_database_key_providers();
SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
SELECT pg_tde_verify_key();
-- only superuser
SELECT pg_tde_add_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_change_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_delete_global_key_provider('file-vault');
SELECT pg_tde_set_key_using_global_key_provider('key1', 'file-vault');
SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'file-vault');
SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'file-vault');
SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_change_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
SELECT pg_tde_delete_global_key_provider('global-file-provider');
SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider');
SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider');
SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider');
RESET ROLE;
@ -38,6 +53,11 @@ SET ROLE regress_pg_tde_access_control;
-- verify the view access is revoked
SELECT * FROM pg_tde_list_all_database_key_providers();
SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
SELECT pg_tde_verify_key();
SELECT pg_tde_server_key_info();
SELECT pg_tde_default_key_info();
SELECT pg_tde_verify_server_key();
SELECT pg_tde_verify_default_key();
RESET ROLE;