2021-04-26 20:07:00 +02:00
#coding:utf-8
#
# id: bugs.core_4821
# title: grant create database to ROLE does not work: "no permission for CREATE access to DATABASE ..."
2021-11-26 19:20:43 +01:00
# decription:
2021-04-26 20:07:00 +02:00
# ::: NOTE ::: Test requires that databases.conf contains 'RemoteAccess = true' for security.db
# This line is added there by scenario '<QA_HOME>
# undaily.bat' every time when check new FB snapshot.
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# We make connection to security.db and create there user and role, with granting this role to user.
# (so, ROLE also is stored in the security.db).
# Then we grant privilege to create DB to just created role.
# After this we check that:
# * user can NOT create database if 'ROLE <this_role>' missed in the 'create database' statement;
# * user _CAN_ create database when issues: create database ... user ... password ... ROLE <this_role>
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# Then we create backup of just created database and check that:
# * user can NOT restore it until specifying '-ROLE <this_role>' in gbak command line;
# * user _CAN_ restore database when issues: gbak -rep ... -user ... -pas ... -ROLE <this_role>;
# * the same pair of checks is performed for fbsvcmgr invocation;
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# Finally, we connect again to security.db and drop <this_role>. After this restore must not be allowed
# even when "ROLE <this_role>" is specified in commands gbak or fbsvcmgr.
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# Checked on:
# 4.0.0.1713 SS: 5.250s.
# 4.0.0.1346 SC: 5.734s.
# 4.0.0.1691 CS: 9.875s.
# 3.0.5.33218 SS: 4.313s.
# 3.0.5.33084 SC: 4.031s.
# 3.0.5.33212 CS: 7.672s.
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# 13.04.2021. Adapted for run both on Windows and Linux. Checked on:
# Windows: 3.0.8.33445, 4.0.0.2416
# Linux: 3.0.8.33426, 4.0.0.2416
2021-11-26 19:20:43 +01:00
#
# [pcisar] 24.11.2021
# This test FAILs because it's not possible to grant create database to role tmp$db_creator
# although it exists (in test database):
# Statement failed, SQLSTATE = 28000
# unsuccessful metadata update
# -GRANT failed
# -SQL role TMP$DB_CREATOR does not exist
# -in security database
#
2021-04-26 20:07:00 +02:00
# tracker_id: CORE-4821
# min_versions: ['3.0.5']
# versions: 3.0.5
# qmid: None
import pytest
2021-11-26 19:20:43 +01:00
import sys
from pathlib import Path
2021-12-14 20:56:34 +01:00
from firebird . qa import db_factory , python_act , Action , temp_file , user_factory , User , \
role_factory , Role
2021-04-26 20:07:00 +02:00
# version: 3.0.5
# resources: None
2021-11-26 19:20:43 +01:00
substitutions_1 = [ ( ' no permission for CREATE access to DATABASE .* ' ,
' no permission for CREATE access to DATABASE ' ) ,
( ' gbak: ERROR:failed to create database .* ' ,
' gbak: ERROR:failed to create database ' ) ,
( ' -failed to create database .* ' , ' -failed to create database ' ) ,
( ' CREATED_DB_NAME .* ' , ' CREATED_DB_NAME ' ) ,
( ' FDB_RESTORED_USING_GBAK .* ' , ' FDB_RESTORED_USING_GBAK ' ) ,
( ' FDB_RESTORED_USING_SMGR .* ' , ' FDB_RESTORED_USING_SMGR ' ) ]
2021-04-26 20:07:00 +02:00
init_script_1 = """ """
db_1 = db_factory ( sql_dialect = 3 , init = init_script_1 )
# test_script_1
#---
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# import os
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# os.environ["ISC_USER"] = user_name
# os.environ["ISC_PASSWORD"] = user_password
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# this_db = db_conn.database_name
# db_conn.close()
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# #--------------------------------------------
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# def flush_and_close( file_handle ):
# # https://docs.python.org/2/library/os.html#os.fsync
# # If you're starting with a Python file object f,
# # first do f.flush(), and
# # then do os.fsync(f.fileno()), to ensure that all internal buffers associated with f are written to disk.
# global os
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# file_handle.flush()
# if file_handle.mode not in ('r', 'rb') and file_handle.name != os.devnull:
# # otherwise: "OSError: [Errno 9] Bad file descriptor"!
# os.fsync(file_handle.fileno())
# file_handle.close()
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# #--------------------------------------------
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# def cleanup( f_names_list ):
# global os
# for i in range(len( f_names_list )):
# if type(f_names_list[i]) == file:
# del_name = f_names_list[i].name
# elif type(f_names_list[i]) == str:
# del_name = f_names_list[i]
# else:
# print('Unrecognized type of element:', f_names_list[i], ' - can not be treated as file.')
# print('type(f_names_list[i])=',type(f_names_list[i]))
# del_name = None
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# if del_name and os.path.isfile( del_name ):
# os.remove( del_name )
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# #--------------------------------------------
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# fdb_test1 = os.path.join(context['temp_directory'],'tmp_4821_test1.fdb')
# fdb_test2 = os.path.join(context['temp_directory'],'tmp_4821_test2.fdb')
# fbk_name = os.path.join(context['temp_directory'],'tmp_4821_test2.fbk')
# fdb_restored_using_gbak = os.path.join(context['temp_directory'],'tmp_4821_restored.gbak.fdb')
# fdb_restored_using_smgr = os.path.join(context['temp_directory'],'tmp_4821_restored.smgr.fdb')
# fdb_restored_unexpected = os.path.join(context['temp_directory'],'tmp_4821_restored.wo_grant.fdb')
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# f_list = [fdb_test1, fdb_test2, fbk_name, fdb_restored_using_gbak, fdb_restored_using_smgr, fdb_restored_unexpected]
# cleanup( f_list )
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# sql_init='''
# set wng off;
# set bail on;
# set term ^;
# execute block as
# begin
# execute statement 'drop role tmp$db_creator';
# when any do begin end
# end^
# set term ;^
# commit;
# create role tmp$db_creator;
# commit;
# create or alter user tmp$c4821_boss password '123' using plugin Srp;
# revoke all on all from tmp$c4821_boss;
# grant create database to role tmp$db_creator;
# grant tmp$db_creator to tmp$c4821_boss;
# commit;
# --show grants;
# '''
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# runProgram('isql', [ 'localhost:security.db' ], sql_init)
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# sql_test='''
# create database 'localhost:%(fdb_test1)s' user tmp$c4821_boss password '123';
# select mon$database_name as created_db_name from mon$database;
# rollback;
# create database 'localhost:%(fdb_test2)s' user tmp$c4821_boss password '123' role tmp$db_creator;
# set list on;
# select mon$database_name as created_db_name from mon$database;
# ''' % locals()
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# runProgram('isql', [ '-q' ], sql_test)
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# # Must PASS because user tmp$c4821_boss is the owner of this DB:
# runProgram('gbak', [ '-b', 'localhost:' + fdb_test2, fbk_name, '-user', 'tmp$c4821_boss', '-pas', '123'] )
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# # Must FAIL because we do not specify role, with text:
# # "gbak: ERROR:no permission for CREATE access to DATABASE ... / gbak: ERROR:failed to create database localhost:tmp_4821_restored.gbak.fdb"
# runProgram('gbak', [ '-rep', fbk_name, 'localhost:'+fdb_restored_using_gbak, '-user', 'tmp$c4821_boss', '-pas', '123'] )
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# # Must PASS because we DO specify role:
# runProgram('gbak', [ '-rep', fbk_name, 'localhost:'+fdb_restored_using_gbak, '-user', 'tmp$c4821_boss', '-pas', '123', '-role', 'tmp$db_creator'] )
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# runProgram('isql', [ 'localhost:'+fdb_restored_using_gbak ], 'set list on; select mon$database_name as fdb_restored_using_gbak from mon$database;')
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# # Must FAIL because we do not specify role, with text: "no permission for CREATE access to DATABASE ... / failed to create database tmp_4821_restored.smgr.fdb"
# runProgram('fbsvcmgr', [ 'localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123', 'action_restore', 'res_replace', 'bkp_file', fbk_name, 'dbname', fdb_restored_using_smgr ] )
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# # Must PASS because we DO specify role:
# runProgram('fbsvcmgr', [ 'localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123', 'role', 'tmp$db_creator', 'action_restore', 'res_replace', 'bkp_file', fbk_name, 'dbname', fdb_restored_using_smgr ] )
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# runProgram('isql', [ 'localhost:'+fdb_restored_using_smgr ], 'set list on; select mon$database_name as fdb_restored_using_smgr from mon$database;')
2021-11-26 19:20:43 +01:00
#
#
2021-04-26 20:07:00 +02:00
# # ATTENTION: now we DROP role and check that after this action user tmp$c4821_boss will not be allowed to restore DB
# #############################
# runProgram('isql', [ 'localhost:security.db' ], 'drop role tmp$db_creator; commit;')
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# # Must FAIL because there is no more role which was allowed to create DB
# # Error text: "gbak: ERROR:no permission for CREATE ... TMP_4821_RESTORED.WO_GRANT.FDB"
# runProgram('gbak', [ '-rep', fbk_name, 'localhost:'+fdb_restored_unexpected, '-user', 'tmp$c4821_boss', '-pas', '123', '-role', 'tmp$db_creator'] )
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# # Must FAIL (because of the same reason), with text: "no permission for CREATE access to DATABASE TMP_4821_RESTORED.WO_GRANT.FDB"
# runProgram('fbsvcmgr', [ 'localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123', 'role', 'tmp$db_creator', 'action_restore', 'res_replace', 'bkp_file', fbk_name, 'dbname', fdb_restored_unexpected ] )
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# # CLEANUP:
# ##########
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# sql_fini='''
# drop user tmp$c4821_boss using plugin Srp;
# commit;
# '''
# runProgram('isql', [ 'localhost:security.db' ], sql_fini)
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
# cleanup( f_list )
2021-11-26 19:20:43 +01:00
#
2021-04-26 20:07:00 +02:00
#---
2021-11-26 19:20:43 +01:00
act_1 = python_act ( ' db_1 ' , substitutions = substitutions_1 )
2021-04-26 20:07:00 +02:00
expected_stdout_1 = """
CREATED_DB_NAME / opt / scripts / qa - rundaily / dbg - repo / tmp / tmp_4821_test2 . fdb
FDB_RESTORED_USING_GBAK / opt / scripts / qa - rundaily / dbg - repo / tmp / tmp_4821_restored . gbak . fdb
FDB_RESTORED_USING_SMGR / opt / scripts / qa - rundaily / dbg - repo / tmp / tmp_4821_restored . smgr . fdb
2021-11-26 19:20:43 +01:00
"""
2021-04-26 20:07:00 +02:00
expected_stderr_1 = """
Statement failed , SQLSTATE = 28000
no permission for CREATE access to DATABASE
gbak : ERROR : no permission for CREATE access to DATABASE
gbak : ERROR : failed to create database
gbak : Exiting before completion due to errors
no permission for CREATE access to DATABASE
- failed to create database
- Exiting before completion due to errors
gbak : ERROR : no permission for CREATE access to DATABASE
gbak : ERROR : failed to create database
gbak : Exiting before completion due to errors
no permission for CREATE access to DATABASE
- failed to create database
2021-11-26 19:20:43 +01:00
- Exiting before completion due to errors
"""
2021-04-26 20:07:00 +02:00
2021-12-14 20:56:34 +01:00
test_user_1 = user_factory ( ' db_1 ' , name = ' tmp$c4821_boss ' , password = ' 123 ' )
2021-04-26 20:07:00 +02:00
2021-11-26 19:20:43 +01:00
fdb_test1 = temp_file ( ' tmp_4821_test1.fdb ' )
fdb_test2 = temp_file ( ' tmp_4821_test2.fdb ' )
fbk_name = temp_file ( ' tmp_4821_test2.fbk ' )
fdb_restored_using_gbak = temp_file ( ' tmp_4821_restored.gbak.fdb ' )
fdb_restored_using_smgr = temp_file ( ' tmp_4821_restored.smgr.fdb ' )
fdb_restored_unexpected = temp_file ( ' tmp_4821_restored.no_grant.fdb ' )
2021-12-14 20:56:34 +01:00
test_role = role_factory ( ' db_1 ' , name = ' tmp$db_creator ' )
2021-04-26 20:07:00 +02:00
2021-11-26 19:20:43 +01:00
@pytest.mark.version ( ' >=3.0.5 ' )
def test_1 ( act_1 : Action , test_user_1 : User , capsys , fdb_test1 : Path , fdb_test2 : Path ,
fbk_name : Path , fdb_restored_using_gbak : Path , fdb_restored_using_smgr : Path ,
2021-12-14 20:56:34 +01:00
fdb_restored_unexpected : Path , test_role : Role ) :
with act_1 . db . connect ( ) as con :
# Next lines are here to show that role really exists
c = con . cursor ( )
c . execute ( ' select * from rdb$roles ' )
act_1 . print_data_list ( c )
# yet next statement fails anyway with: SQL role TMP$DB_CREATOR does not exist
con . execute_immediate ( f ' grant create database to role { test_role . name } ' )
con . execute_immediate ( f ' grant { test_role . name } to { test_user_1 . name } ' )
con . commit ( )
#
sql_test = f """
create database ' localhost: {fdb_test1} ' user { test_user_1 . name } password ' 123 ' ;
select mon $ database_name as created_db_name from mon $ database ;
rollback ;
create database ' localhost: {fdb_test2} ' user { test_user_1 . name } password ' 123 ' role { test_role . name } ;
set list on ;
select mon $ database_name as created_db_name from mon $ database ;
"""
act_1 . isql ( switches = [ ' -q ' ] , input = sql_test )
print ( act_1 . stdout )
# Must PASS because user test_user_1 is the owner of this DB:
act_1 . reset ( )
act_1 . gbak ( switches = [ ' -b ' , ' -user ' , test_user_1 . name , ' -pas ' , ' 123 ' ,
act_1 . get_dsn ( fdb_test2 ) , str ( fbk_name ) ] ,
credentials = False )
# Must FAIL because we do not specify role, with text:
# "gbak: ERROR:no permission for CREATE access to DATABASE ... / gbak: ERROR:failed to create database localhost:tmp_4821_restored.gbak.fdb"
act_1 . reset ( )
act_1 . expected_stderr = " Must FAIL because we do not specify role "
act_1 . gbak ( switches = [ ' -rep ' , ' -user ' , test_user_1 . name , ' -pas ' , ' 123 ' ,
str ( fbk_name ) , act_1 . get_dsn ( fdb_restored_using_gbak ) ] ,
credentials = False )
print ( act_1 . stderr , file = sys . stderr )
# Must PASS because we DO specify role:
act_1 . reset ( )
act_1 . gbak ( switches = [ ' -rep ' , ' -user ' , test_user_1 . name , ' -pas ' , ' 123 ' , ' -role ' , test_role . name ,
str ( fbk_name ) , act_1 . get_dsn ( fdb_restored_using_gbak ) ] ,
credentials = False )
#
act_1 . reset ( )
act_1 . isql ( switches = [ ' -user ' , act_1 . db . user , ' -password ' , act_1 . db . password ,
act_1 . get_dsn ( fdb_restored_using_gbak ) ] , connect_db = False ,
input = ' set list on; select mon$database_name as fdb_restored_using_gbak from mon$database; ' )
print ( act_1 . stdout )
# Must FAIL because we do not specify role, with text: "no permission for CREATE access to DATABASE ... / failed to create database tmp_4821_restored.smgr.fdb"
act_1 . reset ( )
act_1 . expected_stderr = " Must FAIL because we do not specify role "
act_1 . svcmgr ( switches = [ f ' { act_1 . host } :service_mgr ' , ' user ' , test_user_1 . name , ' password ' , ' 123 ' ,
' action_restore ' , ' res_replace ' , ' bkp_file ' , str ( fbk_name ) ,
' dbname ' , str ( fdb_restored_using_smgr ) ] , connect_mngr = False )
print ( act_1 . stderr , file = sys . stderr )
# Must PASS because we DO specify role:
act_1 . reset ( )
act_1 . svcmgr ( switches = [ f ' { act_1 . host } :service_mgr ' , ' user ' , test_user_1 . name , ' password ' , ' 123 ' ,
' role ' , test_role . name , ' action_restore ' , ' res_replace ' ,
' bkp_file ' , str ( fbk_name ) , ' dbname ' , str ( fdb_restored_using_smgr ) ] ,
connect_mngr = False )
#
act_1 . reset ( )
act_1 . isql ( switches = [ ' -user ' , act_1 . db . user , ' -password ' , act_1 . db . password ,
act_1 . get_dsn ( fdb_restored_using_gbak ) ] , connect_db = False ,
input = ' set list on; select mon$database_name as fdb_restored_using_smgr from mon$database; ' )
print ( act_1 . stdout )
#
act_1 . reset ( )
act_1 . expected_stdout = expected_stdout_1
act_1 . expected_stderr = expected_stderr_1
act_1 . stdout = capsys . readouterr ( ) . out
act_1 . stderr = capsys . readouterr ( ) . err
assert act_1 . clean_stdout == act_1 . clean_expected_stdout
assert act_1 . clean_stderr == act_1 . clean_expected_stderr