firebird-qa/tests/bugs/core_4806_test.py

#coding:utf-8
#
# id:           bugs.core_4806
# title:        Regression: generators can be seen/modified by unprivileged users
# decription:
#                   We create sequence ('g') and three users and one role.
#                   First user ('big_brother') is granted to use generator directly.
#                   Second user ('bill_junior') is gratned to use generator via ROLE ('stockmgr').
#                   Third user ('maverick') has no grants to use neither on role nor on generator.
#                   Then we try to change value of generator by call gen_id(g,1) by create apropriate
#                   connections (for each of these users).
#                   First and second users must have ability both to change generator and to see its
#                   values using command 'SHOW SEQUENCE'.
#                   Also, we do additional check for second user: try to connect WITHOUT specifying role
#                   and see/change sequence. Error must be in this case (SQLSTATE = 28000).
#                   Third user must NOT see neither value of generator nor to change it (SQLSTATE = 28000).
#
#                   :::::::::::::::::::::::::::::::::::::::: NB ::::::::::::::::::::::::::::::::::::
#                   18.08.2020. FB 4.x has incompatible behaviour with all previous versions since build 4.0.0.2131 (06-aug-2020):
#                   statement 'CREATE SEQUENCE <G>' will create generator with current value LESS FOR 1 then it was before.
#                   Thus, 'create sequence g;' followed by 'show sequence;' will output "current value: -1" (!!) rather than 0.
#                   See also CORE-6084 and its fix: https://github.com/FirebirdSQL/firebird/commit/23dc0c6297825b2e9006f4d5a2c488702091033d
#                   ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#                   This is considered as *expected* and is noted in doc/README.incompatibilities.3to4.txt
#
#                   Because of this, it was decided to filter out concrete values that are produced in 'SHOW SEQUENCE' command.
#
#                   Checked on:
#                       4.0.0.2164
#                       3.0.7.33356
#
# tracker_id:   CORE-4806
# min_versions: ['3.0']
# versions:     3.0
# qmid:         None

import pytest
from firebird.qa import db_factory, isql_act, Action

# version: 3.0
# resources: None

substitutions_1 = [('-Effective user is.*', ''), ('current value.*', 'current value')]

init_script_1 = """"""

db_1 = db_factory(sql_dialect=3, init=init_script_1)

test_script_1 = """
    set wng off;
    recreate sequence g;
    commit;
    set term ^;
    execute block as
    begin
        execute statement 'drop role stockmgr';
    when any do begin end
    end
    ^ set term ;^
    commit;

    create or alter user Maverick password '123';
    create or alter user Big_Brother password '456';
    create or alter user Bill_Junior password '789';
    create role stockmgr;
    commit;

    revoke all on all from Maverick;
    revoke all on all from Big_Brother;
    revoke all on all from Bill_Junior;
    --revoke all on all from stockmgr; -- COMMENTED TEMPLY, error "Revoke all on all from role <R> -- failed with "SQL role <R> does not exist in security database"", see core-4831
    revoke all on all from public;
    commit;

    grant usage on sequence g to big_brother;
    grant usage on sequence g to role stockmgr;
    grant stockmgr to Bill_Junior;
    commit;
    show grants;

    set list on;

    connect '$(DSN)' user 'BIG_BROTHER' password '456';
    select current_user, current_role from rdb$database;
    show sequ g;
    select gen_id(g, -111) as new_gen from rdb$database;
    commit;

    connect '$(DSN)' user 'BILL_JUNIOR' password '789' role 'STOCKMGR'; -- !! specify role in UPPER case !!
    select current_user, current_role from rdb$database;
    show sequ g;
    select gen_id(g, -222) as new_gen from rdb$database;
    commit;

    connect '$(DSN)' user 'BILL_JUNIOR' password '789';
    select current_user, current_role from rdb$database;

    -- 'show sequ' should produce error:
    --    Statement failed, SQLSTATE = 28000
    --    no permission for USAGE access to GENERATOR G
    --    There is no generator G in this database
    -- (for user 'Bill_Junior' who connects w/o ROLE and thus has NO rights to see that sequence)
    show sequ g;

    -- 'select gen_id(...)' should produce error:
    --    Statement failed, SQLSTATE = 28000
    --    no permission for USAGE access to GENERATOR G
    -- (for user 'Bill_Junior' who connects w/o ROLE and thus has NO rights to see that sequence)
    select gen_id(g, -333) as new_gen from rdb$database;
    commit;

    connect '$(DSN)' user 'MAVERICK' password '123';
    select current_user, current_role from rdb$database;


    -- 'show sequ' should produce error:
    --    Statement failed, SQLSTATE = 28000
    --    no permission for USAGE access to GENERATOR G
    --    There is no generator G in this database
    -- (for user 'maverick' who has NO rights at all)
    show sequ g;

    -- 'select gen_id(...)' should produce error:
    --    Statement failed, SQLSTATE = 28000
    --    no permission for USAGE access to GENERATOR G
    -- (for user 'maverick' who has NO rights at all)
    select gen_id(g, -444) as new_gen from rdb$database;

    commit;
    connect '$(DSN)' user 'SYSDBA' password 'masterkey';

    drop user Maverick;
    drop user Big_Brother;
    drop user Bill_Junior;
    commit;
  """

act_1 = isql_act('db_1', test_script_1, substitutions=substitutions_1)

expected_stdout_1 = """
    /* Grant permissions for this database */
    GRANT STOCKMGR TO BILL_JUNIOR
    GRANT USAGE ON SEQUENCE G TO USER BIG_BROTHER
    GRANT USAGE ON SEQUENCE G TO ROLE STOCKMGR
    GRANT CREATE DATABASE TO USER TMP$C4648

    USER                            BIG_BROTHER
    ROLE                            NONE
    Generator G, current value: 0, initial value: 0, increment: 1
    NEW_GEN                         -111

    USER                            BILL_JUNIOR
    ROLE                            STOCKMGR
    Generator G, current value: -111, initial value: 0, increment: 1
    NEW_GEN                         -333

    USER                            BILL_JUNIOR
    ROLE                            NONE

    USER                            MAVERICK
    ROLE                            NONE
  """
expected_stderr_1 = """
    Statement failed, SQLSTATE = 28000
    no permission for USAGE access to GENERATOR G
    There is no generator G in this database

    Statement failed, SQLSTATE = 28000
    no permission for USAGE access to GENERATOR G

    Statement failed, SQLSTATE = 28000
    no permission for USAGE access to GENERATOR G
    There is no generator G in this database

    Statement failed, SQLSTATE = 28000
    no permission for USAGE access to GENERATOR G
  """

@pytest.mark.version('>=3.0')
def test_1(act_1: Action):
    act_1.expected_stdout = expected_stdout_1
    act_1.expected_stderr = expected_stderr_1
    act_1.execute()
    assert act_1.clean_expected_stderr == act_1.clean_stderr
    assert act_1.clean_expected_stdout == act_1.clean_stdout
Firebird engine tests 2021-04-26 20:07:00 +02:00			`#coding:utf-8`
			`#`
			`# id: bugs.core_4806`
			`# title: Regression: generators can be seen/modified by unprivileged users`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00			`# decription:`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# We create sequence ('g') and three users and one role.`
			`# First user ('big_brother') is granted to use generator directly.`
			`# Second user ('bill_junior') is gratned to use generator via ROLE ('stockmgr').`
			`# Third user ('maverick') has no grants to use neither on role nor on generator.`
			`# Then we try to change value of generator by call gen_id(g,1) by create apropriate`
			`# connections (for each of these users).`
			`# First and second users must have ability both to change generator and to see its`
			`# values using command 'SHOW SEQUENCE'.`
			`# Also, we do additional check for second user: try to connect WITHOUT specifying role`
			`# and see/change sequence. Error must be in this case (SQLSTATE = 28000).`
			`# Third user must NOT see neither value of generator nor to change it (SQLSTATE = 28000).`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# :::::::::::::::::::::::::::::::::::::::: NB ::::::::::::::::::::::::::::::::::::`
			`# 18.08.2020. FB 4.x has incompatible behaviour with all previous versions since build 4.0.0.2131 (06-aug-2020):`
			`# statement 'CREATE SEQUENCE <G>' will create generator with current value LESS FOR 1 then it was before.`
			`# Thus, 'create sequence g;' followed by 'show sequence;' will output "current value: -1" (!!) rather than 0.`
			`# See also CORE-6084 and its fix: https://github.com/FirebirdSQL/firebird/commit/23dc0c6297825b2e9006f4d5a2c488702091033d`
			`# ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::`
			`# This is considered as expected and is noted in doc/README.incompatibilities.3to4.txt`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# Because of this, it was decided to filter out concrete values that are produced in 'SHOW SEQUENCE' command.`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# Checked on:`
			`# 4.0.0.2164`
			`# 3.0.7.33356`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# tracker_id: CORE-4806`
			`# min_versions: ['3.0']`
			`# versions: 3.0`
			`# qmid: None`

			`import pytest`
			`from firebird.qa import db_factory, isql_act, Action`

			`# version: 3.0`
			`# resources: None`

			`substitutions_1 = [('-Effective user is.', ''), ('current value.', 'current value')]`

			`init_script_1 = """"""`

			`db_1 = db_factory(sql_dialect=3, init=init_script_1)`

			`test_script_1 = """`
			`set wng off;`
			`recreate sequence g;`
			`commit;`
			`set term ^;`
			`execute block as`
			`begin`
			`execute statement 'drop role stockmgr';`
			`when any do begin end`
			`end`
			`^ set term ;^`
			`commit;`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00
Firebird engine tests 2021-04-26 20:07:00 +02:00			`create or alter user Maverick password '123';`
			`create or alter user Big_Brother password '456';`
			`create or alter user Bill_Junior password '789';`
			`create role stockmgr;`
			`commit;`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00
Firebird engine tests 2021-04-26 20:07:00 +02:00			`revoke all on all from Maverick;`
			`revoke all on all from Big_Brother;`
			`revoke all on all from Bill_Junior;`
			`--revoke all on all from stockmgr; -- COMMENTED TEMPLY, error "Revoke all on all from role <R> -- failed with "SQL role <R> does not exist in security database"", see core-4831`
			`revoke all on all from public;`
			`commit;`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00
Firebird engine tests 2021-04-26 20:07:00 +02:00			`grant usage on sequence g to big_brother;`
			`grant usage on sequence g to role stockmgr;`
			`grant stockmgr to Bill_Junior;`
			`commit;`
			`show grants;`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00
Firebird engine tests 2021-04-26 20:07:00 +02:00			`set list on;`

			`connect '$(DSN)' user 'BIG_BROTHER' password '456';`
			`select current_user, current_role from rdb$database;`
			`show sequ g;`
			`select gen_id(g, -111) as new_gen from rdb$database;`
			`commit;`

			`connect '$(DSN)' user 'BILL_JUNIOR' password '789' role 'STOCKMGR'; -- !! specify role in UPPER case !!`
			`select current_user, current_role from rdb$database;`
			`show sequ g;`
			`select gen_id(g, -222) as new_gen from rdb$database;`
			`commit;`

			`connect '$(DSN)' user 'BILL_JUNIOR' password '789';`
			`select current_user, current_role from rdb$database;`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00
Firebird engine tests 2021-04-26 20:07:00 +02:00			`-- 'show sequ' should produce error:`
			`-- Statement failed, SQLSTATE = 28000`
			`-- no permission for USAGE access to GENERATOR G`
			`-- There is no generator G in this database`
			`-- (for user 'Bill_Junior' who connects w/o ROLE and thus has NO rights to see that sequence)`
			`show sequ g;`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00
Firebird engine tests 2021-04-26 20:07:00 +02:00			`-- 'select gen_id(...)' should produce error:`
			`-- Statement failed, SQLSTATE = 28000`
			`-- no permission for USAGE access to GENERATOR G`
			`-- (for user 'Bill_Junior' who connects w/o ROLE and thus has NO rights to see that sequence)`
			`select gen_id(g, -333) as new_gen from rdb$database;`
			`commit;`

			`connect '$(DSN)' user 'MAVERICK' password '123';`
			`select current_user, current_role from rdb$database;`


			`-- 'show sequ' should produce error:`
			`-- Statement failed, SQLSTATE = 28000`
			`-- no permission for USAGE access to GENERATOR G`
			`-- There is no generator G in this database`
			`-- (for user 'maverick' who has NO rights at all)`
			`show sequ g;`

			`-- 'select gen_id(...)' should produce error:`
			`-- Statement failed, SQLSTATE = 28000`
			`-- no permission for USAGE access to GENERATOR G`
			`-- (for user 'maverick' who has NO rights at all)`
			`select gen_id(g, -444) as new_gen from rdb$database;`

			`commit;`
			`connect '$(DSN)' user 'SYSDBA' password 'masterkey';`

			`drop user Maverick;`
			`drop user Big_Brother;`
			`drop user Bill_Junior;`
			`commit;`
			`"""`

			`act_1 = isql_act('db_1', test_script_1, substitutions=substitutions_1)`

			`expected_stdout_1 = """`
			`/* Grant permissions for this database */`
			`GRANT STOCKMGR TO BILL_JUNIOR`
			`GRANT USAGE ON SEQUENCE G TO USER BIG_BROTHER`
			`GRANT USAGE ON SEQUENCE G TO ROLE STOCKMGR`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00			`GRANT CREATE DATABASE TO USER TMP$C4648`
Firebird engine tests 2021-04-26 20:07:00 +02:00
			`USER BIG_BROTHER`
			`ROLE NONE`
			`Generator G, current value: 0, initial value: 0, increment: 1`
			`NEW_GEN -111`

			`USER BILL_JUNIOR`
			`ROLE STOCKMGR`
			`Generator G, current value: -111, initial value: 0, increment: 1`
			`NEW_GEN -333`

			`USER BILL_JUNIOR`
			`ROLE NONE`

			`USER MAVERICK`
			`ROLE NONE`
			`"""`
			`expected_stderr_1 = """`
			`Statement failed, SQLSTATE = 28000`
			`no permission for USAGE access to GENERATOR G`
			`There is no generator G in this database`

			`Statement failed, SQLSTATE = 28000`
			`no permission for USAGE access to GENERATOR G`
Fix for tests on Linux 3.0.7 2021-10-21 19:29:23 +02:00
Firebird engine tests 2021-04-26 20:07:00 +02:00			`Statement failed, SQLSTATE = 28000`
			`no permission for USAGE access to GENERATOR G`
			`There is no generator G in this database`

			`Statement failed, SQLSTATE = 28000`
			`no permission for USAGE access to GENERATOR G`
			`"""`

			`@pytest.mark.version('>=3.0')`
Change name scheme for tests 2021-04-28 12:42:11 +02:00			`def test_1(act_1: Action):`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`act_1.expected_stdout = expected_stdout_1`
			`act_1.expected_stderr = expected_stderr_1`
			`act_1.execute()`
			`assert act_1.clean_expected_stderr == act_1.clean_stderr`
			`assert act_1.clean_expected_stdout == act_1.clean_stdout`