From 54cd79c81e158d6f30d29bdbd74d2d654ed876a9 Mon Sep 17 00:00:00 2001
From: Mohit Joshi <mohit.joshi@percona.com>
Date: Tue, 22 Apr 2025 14:49:45 +0530
Subject: [PATCH] PG-1517 - Automate testcase for (#243)

PG-1473 - Executing pg_tde_verify_principal_key() must require key
viewer permission.
---
 contrib/pg_tde/expected/access_control.out | 76 +++++++++++++++++-----
 contrib/pg_tde/sql/access_control.sql      | 40 +++++++++---
 2 files changed, 90 insertions(+), 26 deletions(-)

diff --git a/contrib/pg_tde/expected/access_control.out b/contrib/pg_tde/expected/access_control.out
index c6a5594bc9b..5186a6b117c 100644
--- a/contrib/pg_tde/expected/access_control.out
+++ b/contrib/pg_tde/expected/access_control.out
@@ -2,10 +2,38 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
 CREATE USER regress_pg_tde_access_control;
 SET ROLE regress_pg_tde_access_control;
 -- should throw access denied
-SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
+SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
 ERROR:  permission denied for function pg_tde_add_database_key_provider_file
-SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
+SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
 ERROR:  permission denied for function pg_tde_set_key_using_database_key_provider
+SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
+ERROR:  must be superuser to modify global key providers
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key', 'global-file-provider');
+ERROR:  must be superuser to access global key providers
+SELECT pg_tde_set_server_key_using_global_key_provider('wal-key','global-file-provider');
+ERROR:  must be superuser to access global key providers
+SELECT pg_tde_set_default_key_using_global_key_provider('def-key', 'global-file-provider');
+ERROR:  must be superuser to access global key providers
+SELECT pg_tde_delete_database_key_provider('local-file-provider');
+ERROR:  permission denied for function pg_tde_delete_database_key_provider
+SELECT pg_tde_delete_global_key_provider('global-file-provider');
+ERROR:  must be superuser to modify global key providers
+SELECT pg_tde_list_all_database_key_providers();
+ERROR:  permission denied for function pg_tde_list_all_database_key_providers
+SELECT pg_tde_list_all_global_key_providers();
+ERROR:  permission denied for function pg_tde_list_all_global_key_providers
+SELECT pg_tde_key_info();
+ERROR:  permission denied for function pg_tde_key_info
+SELECT pg_tde_server_key_info();
+ERROR:  permission denied for function pg_tde_server_key_info
+SELECT pg_tde_default_key_info();
+ERROR:  permission denied for function pg_tde_default_key_info
+SELECT pg_tde_verify_key();
+ERROR:  permission denied for function pg_tde_verify_key
+SELECT pg_tde_verify_server_key();
+ERROR:  permission denied for function pg_tde_verify_server_key
+SELECT pg_tde_verify_default_key();
+ERROR:  permission denied for function pg_tde_verify_default_key
 RESET ROLE;
 SELECT pg_tde_grant_database_key_management_to_role('regress_pg_tde_access_control');
  pg_tde_grant_database_key_management_to_role 
@@ -21,42 +49,48 @@ SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control');
 
 SET ROLE regress_pg_tde_access_control;
 -- should now be allowed
-SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
+SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
  pg_tde_add_database_key_provider_file 
 ---------------------------------------
                                      1
 (1 row)
 
-SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
+SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
  pg_tde_set_key_using_database_key_provider 
 --------------------------------------------
  
 (1 row)
 
 SELECT * FROM pg_tde_list_all_database_key_providers();
- id | provider_name | provider_type |                          options                           
-----+---------------+---------------+------------------------------------------------------------
-  1 | file-vault    | file          | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
+ id |    provider_name    | provider_type |                          options                           
+----+---------------------+---------------+------------------------------------------------------------
+  1 | local-file-provider | file          | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
 (1 row)
 
 SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
-  key_name   | key_provider_name | key_provider_id 
--------------+-------------------+-----------------
- test-db-key | file-vault        |               1
+  key_name   |  key_provider_name  | key_provider_id 
+-------------+---------------------+-----------------
+ test-db-key | local-file-provider |               1
+(1 row)
+
+SELECT pg_tde_verify_key();
+ pg_tde_verify_key 
+-------------------
+ 
 (1 row)
 
 -- only superuser
-SELECT pg_tde_add_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
+SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
 ERROR:  must be superuser to modify global key providers
-SELECT pg_tde_change_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
+SELECT pg_tde_change_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
 ERROR:  must be superuser to modify global key providers
-SELECT pg_tde_delete_global_key_provider('file-vault');
+SELECT pg_tde_delete_global_key_provider('global-file-provider');
 ERROR:  must be superuser to modify global key providers
-SELECT pg_tde_set_key_using_global_key_provider('key1', 'file-vault');
+SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider');
 ERROR:  must be superuser to access global key providers
-SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'file-vault');
+SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider');
 ERROR:  must be superuser to access global key providers
-SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'file-vault');
+SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider');
 ERROR:  must be superuser to access global key providers
 RESET ROLE;
 SELECT pg_tde_revoke_key_viewer_from_role('regress_pg_tde_access_control');
@@ -71,5 +105,15 @@ SELECT * FROM pg_tde_list_all_database_key_providers();
 ERROR:  permission denied for function pg_tde_list_all_database_key_providers
 SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
 ERROR:  permission denied for function pg_tde_key_info
+SELECT pg_tde_verify_key();
+ERROR:  permission denied for function pg_tde_verify_key
+SELECT pg_tde_server_key_info();
+ERROR:  permission denied for function pg_tde_server_key_info
+SELECT pg_tde_default_key_info();
+ERROR:  permission denied for function pg_tde_default_key_info
+SELECT pg_tde_verify_server_key();
+ERROR:  permission denied for function pg_tde_verify_server_key
+SELECT pg_tde_verify_default_key();
+ERROR:  permission denied for function pg_tde_verify_default_key
 RESET ROLE;
 DROP EXTENSION pg_tde CASCADE;
diff --git a/contrib/pg_tde/sql/access_control.sql b/contrib/pg_tde/sql/access_control.sql
index f992304b1b5..9ec1b36d733 100644
--- a/contrib/pg_tde/sql/access_control.sql
+++ b/contrib/pg_tde/sql/access_control.sql
@@ -5,8 +5,22 @@ CREATE USER regress_pg_tde_access_control;
 SET ROLE regress_pg_tde_access_control;
 
 -- should throw access denied
-SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
-SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
+SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
+SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
+SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
+SELECT pg_tde_set_key_using_global_key_provider('test-db-key', 'global-file-provider');
+SELECT pg_tde_set_server_key_using_global_key_provider('wal-key','global-file-provider');
+SELECT pg_tde_set_default_key_using_global_key_provider('def-key', 'global-file-provider');
+SELECT pg_tde_delete_database_key_provider('local-file-provider');
+SELECT pg_tde_delete_global_key_provider('global-file-provider');
+SELECT pg_tde_list_all_database_key_providers();
+SELECT pg_tde_list_all_global_key_providers();
+SELECT pg_tde_key_info();
+SELECT pg_tde_server_key_info();
+SELECT pg_tde_default_key_info();
+SELECT pg_tde_verify_key();
+SELECT pg_tde_verify_server_key();
+SELECT pg_tde_verify_default_key();
 
 RESET ROLE;
 
@@ -16,18 +30,19 @@ SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control');
 SET ROLE regress_pg_tde_access_control;
 
 -- should now be allowed
-SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
-SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
+SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
+SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
 SELECT * FROM pg_tde_list_all_database_key_providers();
 SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
+SELECT pg_tde_verify_key();
 
 -- only superuser
-SELECT pg_tde_add_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
-SELECT pg_tde_change_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
-SELECT pg_tde_delete_global_key_provider('file-vault');
-SELECT pg_tde_set_key_using_global_key_provider('key1', 'file-vault');
-SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'file-vault');
-SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'file-vault');
+SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
+SELECT pg_tde_change_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
+SELECT pg_tde_delete_global_key_provider('global-file-provider');
+SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider');
+SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider');
+SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider');
 
 RESET ROLE;
 
@@ -38,6 +53,11 @@ SET ROLE regress_pg_tde_access_control;
 -- verify the view access is revoked
 SELECT * FROM pg_tde_list_all_database_key_providers();
 SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
+SELECT pg_tde_verify_key();
+SELECT pg_tde_server_key_info();
+SELECT pg_tde_default_key_info();
+SELECT pg_tde_verify_server_key();
+SELECT pg_tde_verify_default_key();
 
 RESET ROLE;