374 lines
9.8 KiB
Go
374 lines
9.8 KiB
Go
// Copyright 2024 Dolthub, Inc.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package _go
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/dolthub/go-mysql-server/sql"
|
|
)
|
|
|
|
// TestAuthQuick is modeled after the QuickPrivilegeTest in GMS, so please refer to the documentation there:
|
|
// https://github.com/dolthub/go-mysql-server/blob/main/enginetest/queries/priv_auth_queries.go
|
|
func TestAuthQuick(t *testing.T) {
|
|
// Statements that are run before every test (the state that all tests start with):
|
|
// CREATE USER tester PASSWORD 'password';
|
|
// CREATE SCHEMA mysch;
|
|
// CREATE SCHEMA othersch;
|
|
// CREATE TABLE mysch.test (pk BIGINT PRIMARY KEY, v1 BIGINT);
|
|
// CREATE TABLE mysch.test2 (pk BIGINT PRIMARY KEY, v1 BIGINT);
|
|
// CREATE TABLE othersch.test (pk BIGINT PRIMARY KEY, v1 BIGINT);
|
|
// CREATE TABLE othersch.test2 (pk BIGINT PRIMARY KEY, v1 BIGINT);
|
|
// INSERT INTO mysch.test VALUES (0, 0), (1, 1);
|
|
// INSERT INTO mysch.test2 VALUES (0, 1), (1, 2);
|
|
// INSERT INTO othersch.test VALUES (1, 1), (2, 2);
|
|
// INSERT INTO othersch.test2 VALUES (1, 1), (2, 2);
|
|
type QuickPrivilegeTest struct {
|
|
Focus bool
|
|
Queries []string
|
|
Expected []sql.Row
|
|
ExpectedErr string
|
|
}
|
|
tests := []QuickPrivilegeTest{
|
|
{
|
|
Queries: []string{
|
|
"GRANT SELECT ON ALL TABLES IN SCHEMA mysch TO tester;",
|
|
"SELECT * FROM mysch.test;",
|
|
},
|
|
Expected: []sql.Row{{0, 0}, {1, 1}},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT SELECT ON ALL TABLES IN SCHEMA mysch TO tester;",
|
|
"SELECT * FROM mysch.test2;",
|
|
},
|
|
Expected: []sql.Row{{0, 1}, {1, 2}},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT SELECT ON mysch.test TO tester;",
|
|
"SELECT * FROM mysch.test;",
|
|
},
|
|
Expected: []sql.Row{{0, 0}, {1, 1}},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT SELECT ON mysch.test TO tester;",
|
|
"SELECT * FROM mysch.test2;",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT SELECT ON ALL TABLES IN SCHEMA othersch TO tester;",
|
|
"SELECT * FROM mysch.test;",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT SELECT ON othersch.test TO tester;",
|
|
"SELECT * FROM mysch.test;",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT SELECT ON othersch.test TO tester;",
|
|
"SELECT * FROM mysch.test;",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE SCHEMA newsch;",
|
|
},
|
|
ExpectedErr: "permission denied for database",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT CREATE ON DATABASE postgres TO tester;",
|
|
"CREATE SCHEMA newsch;",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT CREATE ON DATABASE postgres TO tester;",
|
|
"CREATE SCHEMA newsch;",
|
|
"DROP SCHEMA newsch;",
|
|
},
|
|
ExpectedErr: "permission denied for schema",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE TABLE mysch.new_table (pk BIGINT PRIMARY KEY);",
|
|
},
|
|
ExpectedErr: "permission denied for schema",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT CREATE ON SCHEMA mysch TO tester;",
|
|
"CREATE TABLE mysch.new_table (pk BIGINT PRIMARY KEY);",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE ROLE new_role;",
|
|
},
|
|
ExpectedErr: "does not have permission",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"ALTER ROLE tester CREATEROLE;",
|
|
"CREATE ROLE new_role;",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE USER new_user;",
|
|
},
|
|
ExpectedErr: "does not have permission",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"ALTER ROLE tester SUPERUSER;",
|
|
"CREATE USER new_user;",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE USER new_user;",
|
|
"DROP USER new_user;",
|
|
},
|
|
ExpectedErr: "does not have permission",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE USER new_user;",
|
|
"ALTER ROLE tester CREATEROLE;",
|
|
"DROP USER new_user;",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE USER new_user SUPERUSER;",
|
|
"ALTER ROLE tester CREATEROLE;",
|
|
"DROP USER new_user;",
|
|
},
|
|
ExpectedErr: "does not have permission",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE USER new_user SUPERUSER;",
|
|
"ALTER ROLE tester SUPERUSER;",
|
|
"DROP USER new_user;",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"DELETE FROM mysch.test WHERE pk >= 0;",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT DELETE ON ALL TABLES IN SCHEMA mysch TO tester;",
|
|
"DELETE FROM mysch.test WHERE pk >= 0;",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT DELETE ON mysch.test TO tester;",
|
|
"DELETE FROM mysch.test WHERE pk >= 0;",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE USER tester2;",
|
|
"GRANT DELETE ON ALL TABLES IN SCHEMA mysch TO tester2;",
|
|
"GRANT tester2 TO tester;",
|
|
"DELETE FROM mysch.test WHERE pk >= 0;",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"SELECT * FROM mysch.test JOIN mysch.test2 ON test.pk = test2.pk;",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT SELECT ON mysch.test TO tester;",
|
|
"SELECT * FROM mysch.test JOIN mysch.test2 ON test.pk = test2.pk;",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT SELECT ON mysch.test2 TO tester;",
|
|
"SELECT * FROM mysch.test JOIN mysch.test2 ON test.pk = test2.pk;",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT SELECT ON mysch.test TO tester;",
|
|
"GRANT SELECT ON mysch.test2 TO tester;",
|
|
"SELECT * FROM mysch.test JOIN mysch.test2 ON test.pk = test2.pk;",
|
|
},
|
|
Expected: []sql.Row{{0, 0, 0, 1}, {1, 1, 1, 2}},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE USER tester2;",
|
|
"GRANT SELECT ON mysch.test2 TO tester2;",
|
|
"GRANT tester2 TO tester;",
|
|
"SELECT * FROM mysch.test JOIN mysch.test2 ON test.pk = test2.pk;",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE USER tester2;",
|
|
"GRANT SELECT ON mysch.test TO tester2;",
|
|
"GRANT SELECT ON mysch.test2 TO tester2;",
|
|
"GRANT tester2 TO tester;",
|
|
"SELECT * FROM mysch.test JOIN mysch.test2 ON test.pk = test2.pk;",
|
|
},
|
|
Expected: []sql.Row{{0, 0, 0, 1}, {1, 1, 1, 2}},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE TABLE mysch.new_table (pk BIGINT PRIMARY KEY);",
|
|
"DROP TABLE mysch.new_table;",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA mysch TO tester;",
|
|
"REVOKE DROP ON ALL TABLES IN SCHEMA mysch FROM tester;",
|
|
"CREATE TABLE mysch.new_table (pk BIGINT PRIMARY KEY);",
|
|
"DROP TABLE mysch.new_table;",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE TABLE mysch.new_table (pk BIGINT PRIMARY KEY);",
|
|
"GRANT DROP ON mysch.new_table TO tester;",
|
|
"DROP TABLE mysch.new_table;",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE TABLE mysch.new_table (pk BIGINT PRIMARY KEY);",
|
|
"GRANT postgres TO tester;",
|
|
"DROP TABLE mysch.new_table;",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"CREATE ROLE new_role;",
|
|
"DROP ROLE new_role;",
|
|
},
|
|
ExpectedErr: "does not have permission",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"ALTER ROLE tester CREATEROLE;",
|
|
"CREATE ROLE new_role;",
|
|
"DROP ROLE new_role;",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"INSERT INTO mysch.test VALUES (9, 9);",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT INSERT ON ALL TABLES IN SCHEMA mysch TO tester;",
|
|
"INSERT INTO mysch.test VALUES (9, 9);",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT INSERT ON mysch.test TO tester;",
|
|
"INSERT INTO mysch.test VALUES (9, 9);",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"UPDATE mysch.test SET v1 = 0;",
|
|
},
|
|
ExpectedErr: "permission denied for table",
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT UPDATE ON ALL TABLES IN SCHEMA mysch TO tester;",
|
|
"UPDATE mysch.test SET v1 = 0;",
|
|
},
|
|
},
|
|
{
|
|
Queries: []string{
|
|
"GRANT UPDATE ON mysch.test TO tester;",
|
|
"UPDATE mysch.test SET v1 = 0;",
|
|
},
|
|
},
|
|
}
|
|
// Here we'll convert each quick test into a standard test
|
|
scriptTests := make([]ScriptTest, len(tests))
|
|
for testIdx, test := range tests {
|
|
scriptTests[testIdx] = ScriptTest{
|
|
Name: strings.Join(test.Queries, "\n > "),
|
|
Database: "",
|
|
SetUpScript: []string{
|
|
"CREATE USER tester PASSWORD 'password';",
|
|
"CREATE SCHEMA mysch;",
|
|
"CREATE SCHEMA othersch;",
|
|
"CREATE TABLE mysch.test (pk BIGINT PRIMARY KEY, v1 BIGINT);",
|
|
"CREATE TABLE mysch.test2 (pk BIGINT PRIMARY KEY, v1 BIGINT);",
|
|
"CREATE TABLE othersch.test (pk BIGINT PRIMARY KEY, v1 BIGINT);",
|
|
"CREATE TABLE othersch.test2 (pk BIGINT PRIMARY KEY, v1 BIGINT);",
|
|
"INSERT INTO mysch.test VALUES (0, 0), (1, 1);",
|
|
"INSERT INTO mysch.test2 VALUES (0, 1), (1, 2);",
|
|
"INSERT INTO othersch.test VALUES (1, 1), (2, 2);",
|
|
"INSERT INTO othersch.test2 VALUES (1, 1), (2, 2);",
|
|
},
|
|
Assertions: make([]ScriptTestAssertion, len(test.Queries)),
|
|
Focus: test.Focus,
|
|
}
|
|
for queryIdx := 0; queryIdx < len(test.Queries)-1; queryIdx++ {
|
|
scriptTests[testIdx].Assertions[queryIdx] = ScriptTestAssertion{
|
|
Query: test.Queries[queryIdx],
|
|
SkipResultsCheck: true,
|
|
Username: "postgres",
|
|
Password: "password",
|
|
}
|
|
}
|
|
scriptTests[testIdx].Assertions[len(test.Queries)-1] = ScriptTestAssertion{
|
|
Query: test.Queries[len(test.Queries)-1],
|
|
Expected: test.Expected,
|
|
ExpectedErr: test.ExpectedErr,
|
|
Username: "tester",
|
|
Password: "password",
|
|
}
|
|
}
|
|
RunScripts(t, scriptTests)
|
|
}
|