def test_hacker_trying_to_create_schema(self): db = "test_db" admin_on_test_db = CLI({**creds, **{"PGDATABASE": db}}) try: # Create tables admin_on_test_db.execute( "GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA pg_catalog TO " + "user_x") hacker_user = Expect({ **creds, **{ "PGUSER": '******', "PGDATABASE": db, "PGPASSWORD": Expect.TMP_PASSWORD } }) hacker_user.execute_template("sql/test_table.sql.tpl", TABLE='user_x_table') admin_on_test_db.execute_template("sql/query_permissions.sql.tpl", USER='******') hacker_user.expect_execute( "CREATE SCHEMA %s;" % 'new_schema', 'permission denied for database test_db') hacker_user.close() finally: admin_on_test_db.close() return self
def test_cross_project_attempt_to_grant_usage(self): admin = CLI(creds) db = "test_db" try: hacker_user = Expect({ **creds, **{ "PGUSER": '******', "PGDATABASE": db, "PGPASSWORD": Expect.TMP_PASSWORD } }) hacker_user.execute_template("sql/test_data_force_grant_1.sql.tpl", WORKSPACE=db, USER='******') con = Expect({ **creds, **{ "PGUSER": '******', "PGDATABASE": 'project_1', "PGPASSWORD": Expect.TMP_PASSWORD } }) con.expect_execute( "SELECT * from test_db.protected_data.table_1", 'cross-database references are not implemented') con.close() hacker_user.close() finally: admin.close() return self
def test_no_existing_table(self): con = Expect({ **creds, **{ "PGUSER": '******', "PGDATABASE": 'project_1', "PGPASSWORD": Expect.TMP_PASSWORD } }) try: con.expect_execute( "SELECT * from protected_data.table_1", 'relation "protected_data.table_1" does not exist') finally: con.close() return self
def test_hacker_granting_access_with_connect(self): db = "test_db" admin_on_test_db = CLI({**creds, **{"PGDATABASE": db}}) try: hacker_user = Expect({ **creds, **{ "PGUSER": '******', "PGDATABASE": db, "PGPASSWORD": Expect.TMP_PASSWORD } }) hacker_user.execute_template("sql/test_data_force_grant_1.sql.tpl", WORKSPACE=db, USER='******') # grant user connect admin_on_test_db.execute_template("sql/user_connect.sql.tpl", APP_DATABASE=db, USER='******') con = Expect({ **creds, **{ "PGUSER": '******', "PGDATABASE": db, "PGPASSWORD": Expect.TMP_PASSWORD } }) con.expect_execute("SELECT * from protected_data.table_1", 'permission denied for schema protected_data') admin_on_test_db.execute_template("sql/query_permissions.sql.tpl", USER='******') con.close() admin_on_test_db.close() finally: admin_on_test_db.close() return self
def test_single_project(self): admin = CLI(creds) try: db = "test_db" prep_db = Expect({**creds, **{"PGDATABASE": db}}) prep_db.execute_template("sql/test_data_project.sql.tpl") prep_db.close() user = Expect({ **creds, **{ "PGUSER": '******', "PGDATABASE": db, "PGPASSWORD": Expect.TMP_PASSWORD } }) user.expect_execute("SELECT * from pg_settings", 'permission denied for relation pg_settings') user.expect_success("SELECT * from protected_data.table_1") user.expect_execute( "CREATE TABLE protected_data.table_2 (name varchar(20));", 'permission denied for schema protected_data') user.expect_success( "CREATE TABLE working_data.table_2 (name varchar(20));") admin_on_test_db = Expect({**creds, **{"PGDATABASE": db}}) admin_on_test_db.match_results( "sql/query_permissions.sql.tpl", 'results/test_single_project/perms.txt', USER='******') admin_on_test_db.close() user.close() finally: admin.close()
def test_hacker_trying_to_grant_role_to_another_user(self): db = "test_db" hacker_user = Expect({ **creds, **{ "PGUSER": '******', "PGDATABASE": db, "PGPASSWORD": Expect.TMP_PASSWORD } }) try: hacker_user.expect_execute( "GRANT %s_contribute TO %s;" % (db, 'project_1_user_1'), 'must have admin option on role "test_db_contribute"') finally: hacker_user.close() return self
def test_incremental_user_access(self): db = "test_db" admin_on_test_db = CLI({**creds, **{"PGDATABASE": db}}) try: prep_db = Expect({**creds, **{"PGDATABASE": db}}) prep_db.execute_template("sql/test_data_project.sql.tpl") user = "******" admin_on_test_db.execute_template("sql/user.sql.tpl", USER=user, PASSWORD=Expect.TMP_PASSWORD) prep_db.expect_connect(db, user, 'User does not have CONNECT privilege.') admin_on_test_db.execute_template("sql/user_connect.sql.tpl", APP_DATABASE=db, USER=user) user_db = Expect({ **creds, **{ "PGUSER": user, "PGDATABASE": db, "PGPASSWORD": Expect.TMP_PASSWORD } }) user_db.expect_execute( "SELECT * from pg_settings", 'permission denied for relation pg_settings') user_db.expect_execute( "SELECT * from protected_data.table_1", 'permission denied for schema protected_data') admin_on_test_db.execute_template("sql/setup_user.sql.tpl", WORKSPACE=db, USER=user) user_db.expect_success("SELECT * from protected_data.table_1") user_db.expect_execute( "CREATE TABLE protected_data.table_2 (name varchar(20));", 'permission denied for schema protected_data') user_db.expect_execute( "CREATE TABLE working_data.table_2 (name varchar(20));", 'permission denied for schema pg_catalog') admin_on_test_db.execute_template("sql/setup_user_2.sql.tpl", WORKSPACE=db, USER=user) user_db.expect_success( "CREATE TABLE working_data.table_2 (name varchar(20));") prep_db.match_results( "sql/query_permissions.sql.tpl", 'results/test_incremental_user_access/perms.txt', USER=user) user_db.close() prep_db.close() finally: admin_on_test_db.close()