Skip to content

Commit 54cd79c

Browse files
mohitj1988mohitj1988
authored
PG-1517 - Automate testcase for (#243)
PG-1473 - Executing pg_tde_verify_principal_key() must require key viewer permission.
1 parent 607cf93 commit 54cd79c

File tree

2 files changed

+90
-26
lines changed

2 files changed

+90
-26
lines changed

contrib/pg_tde/expected/access_control.out

Lines changed: 60 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,38 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
22
CREATE USER regress_pg_tde_access_control;
33
SET ROLE regress_pg_tde_access_control;
44
-- should throw access denied
5-
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
5+
SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
66
ERROR: permission denied for function pg_tde_add_database_key_provider_file
7-
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
7+
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
88
ERROR: permission denied for function pg_tde_set_key_using_database_key_provider
9+
SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
10+
ERROR: must be superuser to modify global key providers
11+
SELECT pg_tde_set_key_using_global_key_provider('test-db-key', 'global-file-provider');
12+
ERROR: must be superuser to access global key providers
13+
SELECT pg_tde_set_server_key_using_global_key_provider('wal-key','global-file-provider');
14+
ERROR: must be superuser to access global key providers
15+
SELECT pg_tde_set_default_key_using_global_key_provider('def-key', 'global-file-provider');
16+
ERROR: must be superuser to access global key providers
17+
SELECT pg_tde_delete_database_key_provider('local-file-provider');
18+
ERROR: permission denied for function pg_tde_delete_database_key_provider
19+
SELECT pg_tde_delete_global_key_provider('global-file-provider');
20+
ERROR: must be superuser to modify global key providers
21+
SELECT pg_tde_list_all_database_key_providers();
22+
ERROR: permission denied for function pg_tde_list_all_database_key_providers
23+
SELECT pg_tde_list_all_global_key_providers();
24+
ERROR: permission denied for function pg_tde_list_all_global_key_providers
25+
SELECT pg_tde_key_info();
26+
ERROR: permission denied for function pg_tde_key_info
27+
SELECT pg_tde_server_key_info();
28+
ERROR: permission denied for function pg_tde_server_key_info
29+
SELECT pg_tde_default_key_info();
30+
ERROR: permission denied for function pg_tde_default_key_info
31+
SELECT pg_tde_verify_key();
32+
ERROR: permission denied for function pg_tde_verify_key
33+
SELECT pg_tde_verify_server_key();
34+
ERROR: permission denied for function pg_tde_verify_server_key
35+
SELECT pg_tde_verify_default_key();
36+
ERROR: permission denied for function pg_tde_verify_default_key
937
RESET ROLE;
1038
SELECT pg_tde_grant_database_key_management_to_role('regress_pg_tde_access_control');
1139
pg_tde_grant_database_key_management_to_role
@@ -21,42 +49,48 @@ SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control');
2149

2250
SET ROLE regress_pg_tde_access_control;
2351
-- should now be allowed
24-
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
52+
SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
2553
pg_tde_add_database_key_provider_file
2654
---------------------------------------
2755
1
2856
(1 row)
2957

30-
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
58+
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
3159
pg_tde_set_key_using_database_key_provider
3260
--------------------------------------------
3361

3462
(1 row)
3563

3664
SELECT * FROM pg_tde_list_all_database_key_providers();
37-
id | provider_name | provider_type | options
38-
----+---------------+---------------+------------------------------------------------------------
39-
1 | file-vault | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
65+
id | provider_name | provider_type | options
66+
----+---------------------+---------------+------------------------------------------------------------
67+
1 | local-file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
4068
(1 row)
4169

4270
SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
43-
key_name | key_provider_name | key_provider_id
44-
-------------+-------------------+-----------------
45-
test-db-key | file-vault | 1
71+
key_name | key_provider_name | key_provider_id
72+
-------------+---------------------+-----------------
73+
test-db-key | local-file-provider | 1
74+
(1 row)
75+
76+
SELECT pg_tde_verify_key();
77+
pg_tde_verify_key
78+
-------------------
79+
4680
(1 row)
4781

4882
-- only superuser
49-
SELECT pg_tde_add_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
83+
SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
5084
ERROR: must be superuser to modify global key providers
51-
SELECT pg_tde_change_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
85+
SELECT pg_tde_change_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
5286
ERROR: must be superuser to modify global key providers
53-
SELECT pg_tde_delete_global_key_provider('file-vault');
87+
SELECT pg_tde_delete_global_key_provider('global-file-provider');
5488
ERROR: must be superuser to modify global key providers
55-
SELECT pg_tde_set_key_using_global_key_provider('key1', 'file-vault');
89+
SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider');
5690
ERROR: must be superuser to access global key providers
57-
SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'file-vault');
91+
SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider');
5892
ERROR: must be superuser to access global key providers
59-
SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'file-vault');
93+
SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider');
6094
ERROR: must be superuser to access global key providers
6195
RESET ROLE;
6296
SELECT pg_tde_revoke_key_viewer_from_role('regress_pg_tde_access_control');
@@ -71,5 +105,15 @@ SELECT * FROM pg_tde_list_all_database_key_providers();
71105
ERROR: permission denied for function pg_tde_list_all_database_key_providers
72106
SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
73107
ERROR: permission denied for function pg_tde_key_info
108+
SELECT pg_tde_verify_key();
109+
ERROR: permission denied for function pg_tde_verify_key
110+
SELECT pg_tde_server_key_info();
111+
ERROR: permission denied for function pg_tde_server_key_info
112+
SELECT pg_tde_default_key_info();
113+
ERROR: permission denied for function pg_tde_default_key_info
114+
SELECT pg_tde_verify_server_key();
115+
ERROR: permission denied for function pg_tde_verify_server_key
116+
SELECT pg_tde_verify_default_key();
117+
ERROR: permission denied for function pg_tde_verify_default_key
74118
RESET ROLE;
75119
DROP EXTENSION pg_tde CASCADE;

contrib/pg_tde/sql/access_control.sql

Lines changed: 30 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,22 @@ CREATE USER regress_pg_tde_access_control;
55
SET ROLE regress_pg_tde_access_control;
66

77
-- should throw access denied
8-
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
9-
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
8+
SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
9+
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
10+
SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
11+
SELECT pg_tde_set_key_using_global_key_provider('test-db-key', 'global-file-provider');
12+
SELECT pg_tde_set_server_key_using_global_key_provider('wal-key','global-file-provider');
13+
SELECT pg_tde_set_default_key_using_global_key_provider('def-key', 'global-file-provider');
14+
SELECT pg_tde_delete_database_key_provider('local-file-provider');
15+
SELECT pg_tde_delete_global_key_provider('global-file-provider');
16+
SELECT pg_tde_list_all_database_key_providers();
17+
SELECT pg_tde_list_all_global_key_providers();
18+
SELECT pg_tde_key_info();
19+
SELECT pg_tde_server_key_info();
20+
SELECT pg_tde_default_key_info();
21+
SELECT pg_tde_verify_key();
22+
SELECT pg_tde_verify_server_key();
23+
SELECT pg_tde_verify_default_key();
1024

1125
RESET ROLE;
1226

@@ -16,18 +30,19 @@ SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control');
1630
SET ROLE regress_pg_tde_access_control;
1731

1832
-- should now be allowed
19-
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
20-
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
33+
SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
34+
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
2135
SELECT * FROM pg_tde_list_all_database_key_providers();
2236
SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
37+
SELECT pg_tde_verify_key();
2338

2439
-- only superuser
25-
SELECT pg_tde_add_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
26-
SELECT pg_tde_change_global_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
27-
SELECT pg_tde_delete_global_key_provider('file-vault');
28-
SELECT pg_tde_set_key_using_global_key_provider('key1', 'file-vault');
29-
SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'file-vault');
30-
SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'file-vault');
40+
SELECT pg_tde_add_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
41+
SELECT pg_tde_change_global_key_provider_file('global-file-provider', '/tmp/pg_tde_test_keyring.per');
42+
SELECT pg_tde_delete_global_key_provider('global-file-provider');
43+
SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider');
44+
SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider');
45+
SELECT pg_tde_set_server_key_using_global_key_provider('key1', 'global-file-provider');
3146

3247
RESET ROLE;
3348

@@ -38,6 +53,11 @@ SET ROLE regress_pg_tde_access_control;
3853
-- verify the view access is revoked
3954
SELECT * FROM pg_tde_list_all_database_key_providers();
4055
SELECT key_name, key_provider_name, key_provider_id FROM pg_tde_key_info();
56+
SELECT pg_tde_verify_key();
57+
SELECT pg_tde_server_key_info();
58+
SELECT pg_tde_default_key_info();
59+
SELECT pg_tde_verify_server_key();
60+
SELECT pg_tde_verify_default_key();
4161

4262
RESET ROLE;
4363

0 commit comments

Comments
 (0)