mirror/dolt
1
0
Fork 0
mirror of https://github.com/dolthub/dolt.git synced 2026-02-13 19:28:50 -06:00
Code Issues Packages Projects Releases 129 Wiki Activity
Files
fca1ec3d072ea8fe5ee795a9537cf2d971e7788e
dolt/integration-tests/bats/sql-procedure-privs.bats
Neil Macneale IV bf9897ed25 PR Feedback (noop)
2023-10-31 15:43:05 -07:00

159 lines
5.5 KiB
Bash
Raw Blame History

#!/usr/bin/env bats
load $BATS_TEST_DIRNAME/helper/common.bash
# Suite of tests to validate restrictions on procedure privileges.
# working dir will be test_db, which has a single database: mydb
make_test_db_and_users() {
rm -rf test_db
mkdir test_db
cd test_db
mkdir mydb
cd mydb
dolt init
cd ..
## All tests need a user, or two.
dolt sql -q "CREATE USER neil@localhost IDENTIFIED BY 'pwd'"
dolt sql -q "CREATE USER mike@localhost IDENTIFIED BY 'pwd'"
}
# working dir will be dolt_repo$$
delete_test_repo() {
cd ..
rm -rf test_db
}
setup() {
setup_no_dolt_init
make_test_db_and_users
}
teardown() {
delete_test_repo
teardown_common
}
@test "sql-procedure-privs: smoke test" {
dolt sql -q "GRANT SELECT ON mydb.* TO neil@localhost"
dolt sql -q "GRANT EXECUTE ON mydb.* TO mike@localhost"
dolt -u neil -p pwd sql -q "select * from dolt_log()"
run dolt -u neil -p pwd sql -q "call dolt_branch('br1')"
[ $status -eq 1 ]
[[ $output =~ "command denied to user 'neil'@'localhost" ]] || false
dolt -u mike -p pwd sql -q "select * from dolt_log()"
dolt -u mike -p pwd sql -q "call dolt_branch('br1')"
run dolt -u mike -p pwd sql -q "call dolt_gc()"
[ $status -eq 1 ]
[[ $output =~ "command denied to user 'mike'@'localhost" ]] || false
# Admin procedure privs must be granted explicitly
dolt sql -q "GRANT EXECUTE ON PROCEDURE mydb.dolt_gc TO mike@localhost"
dolt -u mike -p pwd sql -q "call dolt_gc()"
}
mike_blocked_check() {
run dolt -u mike -p pwd sql -q "call $1"
[ $status -eq 1 ]
[[ $output =~ "command denied to user 'mike'@'localhost" ]] || false
}
@test "sql-procedure-privs: admin procedures all block" {
# Execute privs on a DB does not grant admin procedure privs
dolt sql -q "GRANT EXECUTE ON mydb.* TO mike@localhost"
mike_blocked_check "dolt_backup('sync','foo')"
mike_blocked_check "dolt_clone('file:///myDatabasesDir/database/.dolt/noms')"
mike_blocked_check "dolt_fetch('origin')"
mike_blocked_check "dolt_gc()"
mike_blocked_check "dolt_pull('origin')"
mike_blocked_check "dolt_purge_dropped_databases()"
mike_blocked_check "dolt_remote('add','origin1','Dolthub/museum-collections')"
mike_blocked_check "dolt_undrop('foo')"
# Verify non-admin procedures are executable, not an exhaustive list tho.
dolt -u mike -p pwd sql -q "call dolt_branch('br1')"
dolt -u mike -p pwd sql -q "call dolt_checkout('br1')"
}
@test "sql-procedure-privs: direct execute privs are let through" {
# Execute privs on a DB does not grant admin procedure privs
dolt sql -q "GRANT EXECUTE ON PROCEDURE mydb.dolt_gc TO neil@localhost"
dolt -u neil -p pwd sql -q "call dolt_gc()"
run dolt -u neil -p pwd sql -q "call dolt_fetch('origin')"
[ $status -eq 1 ]
[[ $output =~ "command denied to user 'neil'@'localhost" ]] || false
# since no db privs exist, this user should not be able to do non-admin procedures
run dolt -u neil -p pwd sql -q "call dolt_branch('br1')"
[ $status -eq 1 ]
[[ $output =~ "command denied to user 'neil'@'localhost" ]] || false
}
@test "sql-procedure-privs: grant option works as explicit grant" {
# Give Mike grant, but not execute perms. Verify he can grant to Neil, but can't execute.
dolt sql -q "GRANT GRANT OPTION ON PROCEDURE mydb.dolt_gc TO mike@localhost"
# Being able to grant access does not give you access
mike_blocked_check "dolt_gc()"
run dolt -u neil -p pwd sql -q "call dolt_gc()"
[ $status -eq 1 ]
[[ $output =~ "Access denied for user 'neil'@'localhost' to database 'mydb'" ]] || false
dolt -u mike -p pwd sql -q "GRANT EXECUTE ON PROCEDURE mydb.dolt_gc TO neil@localhost"
dolt -u neil -p pwd sql -q "call dolt_gc()"
}
@test "sql-procedure-privs: grant option at DB level does not give admin grant priviliges" {
# Give Mike grant, but non-execute perms. Verify he can grant to Neil, but can't execute.
dolt sql -q "GRANT GRANT OPTION ON mydb.* TO mike@localhost"
# Being able to grant access does not give you access
mike_blocked_check "dolt_gc()"
run dolt -u mike -p pwd sql -q "GRANT EXECUTE ON PROCEDURE mydb.dolt_gc TO neil@localhost"
[ $status -eq 1 ]
[[ $output =~ "command denied to user 'mike'@'localhost" ]] || false
}
@test "sql-procedure-privs: grant option at DB level works for non-admin procedures" {
dolt sql -q "GRANT GRANT OPTION ON mydb.* TO mike@localhost"
mike_blocked_check "dolt_branch('br1')"
run dolt -u neil -p pwd sql -q "call dolt_branch('br1')"
[ $status -eq 1 ]
[[ $output =~ "Access denied for user 'neil'@'localhost' to database 'mydb'" ]] || false
dolt -u mike -p pwd sql -q "GRANT EXECUTE ON PROCEDURE mydb.dolt_branch TO neil@localhost"
dolt -u neil -p pwd sql -q "call dolt_branch('br1')"
}
@test "sql-procedure-privs: non-dolt procedure execution" {
dolt sql <<SQL
DELIMITER //
CREATE PROCEDURE user_proc()
BEGIN
SELECT 'hello cruel world';
END//
SQL
dolt sql -q "GRANT GRANT OPTION ON mydb.* TO mike@localhost"
mike_blocked_check "user_proc()"
run dolt -u neil -p pwd sql -q "call user_proc()"
[ $status -eq 1 ]
[[ $output =~ "Access denied for user 'neil'@'localhost' to database 'mydb'" ]] || false
dolt -u mike -p pwd sql -q "GRANT EXECUTE ON PROCEDURE mydb.user_proc TO neil@localhost"
dolt -u neil -p pwd sql -q "call user_proc()"
}
# TODO - Alter Routine Grants can be created and revoked (tested in enginetests), but we can't
# actually alter any routines in a meaningful way, so until we can there is nothing to test.
Reference in New Issue View Git Blame Copy Permalink