firebird-qa/tests/bugs/test_core_2765.py

#coding:utf-8
#
# id:           bugs.core_2765
# title:        Use of RDB$ADMIN role does not provide SYSDBA rights in GRANT/REVOKE
# decription:   
#                   06.08.2018: removed old code for 3.0 and 4.0, replaced it with simplified one that does *exactly* what ticket says.
#                   Checked on 3.0.4.33021, 4.0.0.1143.
#                
# tracker_id:   CORE-2765
# min_versions: ['2.5.0']
# versions:     3.0, 4.0
# qmid:         None

import pytest
from firebird.qa import db_factory, isql_act, Action

# version: 3.0
# resources: None

substitutions_1 = [('no (S|SELECT) privilege with grant option on table/view TEST', 'no SELECT privilege with grant option on table/view TEST')]

init_script_1 = """"""

db_1 = db_factory(sql_dialect=3, init=init_script_1)

test_script_1 = """
    --set bail on;
    set list on;
    set wng off;
    create or alter user tmp$c2765_admin password '123';
    create or alter user tmp$c2765_worker1 password '456';
    create or alter user tmp$c2765_worker2 password '789';

    grant rdb$admin to tmp$c2765_admin;
    commit;
   
    recreate table test(id int, x int);
    commit;
    insert into test(id, x) values(1, 1000);
    commit;

    connect '$(DSN)' user tmp$c2765_admin password '123' role 'RDB$ADMIN';
    select current_user as who_am_i, current_role as what_is_my_role from rdb$database;
    --select * from test;
    commit;

    grant all on test to tmp$c2765_worker1;
    commit;

    connect '$(DSN)' user tmp$c2765_worker1 password '456';
    select current_user as who_am_i, current_role as what_is_my_role from rdb$database;

    -- all these statements should pass:
    set count on;
    select * from test;
    update test set id=-id;
    delete from test;
    insert into test(id,x) values(2, 2000);
    set count off;
    rollback;


    connect '$(DSN)' user tmp$c2765_admin password '123';
    select current_user as who_am_i, current_role as what_is_my_role from rdb$database;
    commit;

    grant all on test to tmp$c2765_worker2; -- should fail!
    commit;

    connect '$(DSN)' user tmp$c2765_worker2 password '789';
    select current_user as who_am_i, current_role as what_is_my_role from rdb$database;
    select * from test; -- should FAIL!
    commit;

    -- cleanup:
    -- ########
    connect '$(DSN)' user sysdba password 'masterkey';
    drop user tmp$c2765_admin;
    drop user tmp$c2765_worker1;
    drop user tmp$c2765_worker2;
    commit;

  """

act_1 = isql_act('db_1', test_script_1, substitutions=substitutions_1)

expected_stdout_1 = """
    WHO_AM_I                        TMP$C2765_ADMIN
    WHAT_IS_MY_ROLE                 RDB$ADMIN

    WHO_AM_I                        TMP$C2765_WORKER1
    WHAT_IS_MY_ROLE                 NONE
    ID                              1
    X                               1000

    Records affected: 1
    Records affected: 1
    Records affected: 1
    Records affected: 1

    WHO_AM_I                        TMP$C2765_ADMIN
    WHAT_IS_MY_ROLE                 NONE

    WHO_AM_I                        TMP$C2765_WORKER2
    WHAT_IS_MY_ROLE                 NONE

  """
expected_stderr_1 = """
    Statement failed, SQLSTATE = 42000
    unsuccessful metadata update
    -GRANT failed
    -no SELECT privilege with grant option on table/view TEST
    Statement failed, SQLSTATE = 28000
    no permission for SELECT access to TABLE TEST
  """

@pytest.mark.version('>=3.0,<4.0')
def test_core_2765_1(act_1: Action):
    act_1.expected_stdout = expected_stdout_1
    act_1.expected_stderr = expected_stderr_1
    act_1.execute()
    assert act_1.clean_expected_stderr == act_1.clean_stderr
    assert act_1.clean_expected_stdout == act_1.clean_stdout

# version: 4.0
# resources: None

substitutions_2 = [('no (S|SELECT) privilege with grant option on table/view TEST', 'no SELECT privilege with grant option on table/view TEST')]

init_script_2 = """"""

db_2 = db_factory(sql_dialect=3, init=init_script_2)

test_script_2 = """
    --set bail on;
    set list on;
    set wng off;
    create or alter user tmp$c2765_admin password '123';
    create or alter user tmp$c2765_worker1 password '456';
    create or alter user tmp$c2765_worker2 password '789';

    grant rdb$admin to tmp$c2765_admin;
    commit;
   
    recreate table test(id int, x int);
    commit;
    insert into test(id, x) values(1, 1000);
    commit;

    connect '$(DSN)' user tmp$c2765_admin password '123' role 'RDB$ADMIN';
    select current_user as who_am_i, current_role as what_is_my_role from rdb$database;
    --select * from test;
    commit;

    grant all on test to tmp$c2765_worker1;
    commit;

    connect '$(DSN)' user tmp$c2765_worker1 password '456';
    select current_user as who_am_i, current_role as what_is_my_role from rdb$database;

    -- all these statements should pass:
    set count on;
    select * from test;
    update test set id=-id;
    delete from test;
    insert into test(id,x) values(2, 2000);
    set count off;
    rollback;


    connect '$(DSN)' user tmp$c2765_admin password '123';
    select current_user as who_am_i, current_role as what_is_my_role from rdb$database;
    commit;

    grant all on test to tmp$c2765_worker2; -- should fail!
    commit;

    connect '$(DSN)' user tmp$c2765_worker2 password '789';
    select current_user as who_am_i, current_role as what_is_my_role from rdb$database;
    select * from test; -- should FAIL!
    commit;

    -- cleanup:
    -- ########
    connect '$(DSN)' user sysdba password 'masterkey';
    drop user tmp$c2765_admin;
    drop user tmp$c2765_worker1;
    drop user tmp$c2765_worker2;
    commit;

  """

act_2 = isql_act('db_2', test_script_2, substitutions=substitutions_2)

expected_stdout_2 = """
    WHO_AM_I                        TMP$C2765_ADMIN
    WHAT_IS_MY_ROLE                 RDB$ADMIN

    WHO_AM_I                        TMP$C2765_WORKER1
    WHAT_IS_MY_ROLE                 NONE
    ID                              1
    X                               1000

    Records affected: 1
    Records affected: 1
    Records affected: 1
    Records affected: 1

    WHO_AM_I                        TMP$C2765_ADMIN
    WHAT_IS_MY_ROLE                 NONE

    WHO_AM_I                        TMP$C2765_WORKER2
    WHAT_IS_MY_ROLE                 NONE

  """
expected_stderr_2 = """
    Statement failed, SQLSTATE = 42000
    unsuccessful metadata update
    -GRANT failed
    -no SELECT privilege with grant option on table/view TEST
    Statement failed, SQLSTATE = 28000
    no permission for SELECT access to TABLE TEST
    -Effective user is TMP$C2765_WORKER2
  """

@pytest.mark.version('>=4.0')
def test_core_2765_2(act_2: Action):
    act_2.expected_stdout = expected_stdout_2
    act_2.expected_stderr = expected_stderr_2
    act_2.execute()
    assert act_2.clean_expected_stderr == act_2.clean_stderr
    assert act_2.clean_expected_stdout == act_2.clean_stdout
Firebird engine tests 2021-04-26 20:07:00 +02:00			`#coding:utf-8`
			`#`
			`# id: bugs.core_2765`
			`# title: Use of RDB$ADMIN role does not provide SYSDBA rights in GRANT/REVOKE`
			`# decription:`
			`# 06.08.2018: removed old code for 3.0 and 4.0, replaced it with simplified one that does exactly what ticket says.`
			`# Checked on 3.0.4.33021, 4.0.0.1143.`
			`#`
			`# tracker_id: CORE-2765`
			`# min_versions: ['2.5.0']`
			`# versions: 3.0, 4.0`
			`# qmid: None`

			`import pytest`
			`from firebird.qa import db_factory, isql_act, Action`

			`# version: 3.0`
			`# resources: None`

			`substitutions_1 = [('no (S\|SELECT) privilege with grant option on table/view TEST', 'no SELECT privilege with grant option on table/view TEST')]`

			`init_script_1 = """"""`

			`db_1 = db_factory(sql_dialect=3, init=init_script_1)`

			`test_script_1 = """`
			`--set bail on;`
			`set list on;`
			`set wng off;`
			`create or alter user tmp$c2765_admin password '123';`
			`create or alter user tmp$c2765_worker1 password '456';`
			`create or alter user tmp$c2765_worker2 password '789';`

			`grant rdb$admin to tmp$c2765_admin;`
			`commit;`

			`recreate table test(id int, x int);`
			`commit;`
			`insert into test(id, x) values(1, 1000);`
			`commit;`

			`connect '$(DSN)' user tmp$c2765_admin password '123' role 'RDB$ADMIN';`
			`select current_user as who_am_i, current_role as what_is_my_role from rdb$database;`
			`--select * from test;`
			`commit;`

			`grant all on test to tmp$c2765_worker1;`
			`commit;`

			`connect '$(DSN)' user tmp$c2765_worker1 password '456';`
			`select current_user as who_am_i, current_role as what_is_my_role from rdb$database;`

			`-- all these statements should pass:`
			`set count on;`
			`select * from test;`
			`update test set id=-id;`
			`delete from test;`
			`insert into test(id,x) values(2, 2000);`
			`set count off;`
			`rollback;`


			`connect '$(DSN)' user tmp$c2765_admin password '123';`
			`select current_user as who_am_i, current_role as what_is_my_role from rdb$database;`
			`commit;`

			`grant all on test to tmp$c2765_worker2; -- should fail!`
			`commit;`

			`connect '$(DSN)' user tmp$c2765_worker2 password '789';`
			`select current_user as who_am_i, current_role as what_is_my_role from rdb$database;`
			`select * from test; -- should FAIL!`
			`commit;`

			`-- cleanup:`
			`-- ########`
			`connect '$(DSN)' user sysdba password 'masterkey';`
			`drop user tmp$c2765_admin;`
			`drop user tmp$c2765_worker1;`
			`drop user tmp$c2765_worker2;`
			`commit;`

			`"""`

			`act_1 = isql_act('db_1', test_script_1, substitutions=substitutions_1)`

			`expected_stdout_1 = """`
			`WHO_AM_I TMP$C2765_ADMIN`
			`WHAT_IS_MY_ROLE RDB$ADMIN`

			`WHO_AM_I TMP$C2765_WORKER1`
			`WHAT_IS_MY_ROLE NONE`
			`ID 1`
			`X 1000`

			`Records affected: 1`
			`Records affected: 1`
			`Records affected: 1`
			`Records affected: 1`

			`WHO_AM_I TMP$C2765_ADMIN`
			`WHAT_IS_MY_ROLE NONE`

			`WHO_AM_I TMP$C2765_WORKER2`
			`WHAT_IS_MY_ROLE NONE`

			`"""`
			`expected_stderr_1 = """`
			`Statement failed, SQLSTATE = 42000`
			`unsuccessful metadata update`
			`-GRANT failed`
			`-no SELECT privilege with grant option on table/view TEST`
			`Statement failed, SQLSTATE = 28000`
			`no permission for SELECT access to TABLE TEST`
			`"""`

			`@pytest.mark.version('>=3.0,<4.0')`
			`def test_core_2765_1(act_1: Action):`
			`act_1.expected_stdout = expected_stdout_1`
			`act_1.expected_stderr = expected_stderr_1`
			`act_1.execute()`
			`assert act_1.clean_expected_stderr == act_1.clean_stderr`
			`assert act_1.clean_expected_stdout == act_1.clean_stdout`

			`# version: 4.0`
			`# resources: None`

			`substitutions_2 = [('no (S\|SELECT) privilege with grant option on table/view TEST', 'no SELECT privilege with grant option on table/view TEST')]`

			`init_script_2 = """"""`

			`db_2 = db_factory(sql_dialect=3, init=init_script_2)`

			`test_script_2 = """`
			`--set bail on;`
			`set list on;`
			`set wng off;`
			`create or alter user tmp$c2765_admin password '123';`
			`create or alter user tmp$c2765_worker1 password '456';`
			`create or alter user tmp$c2765_worker2 password '789';`

			`grant rdb$admin to tmp$c2765_admin;`
			`commit;`

			`recreate table test(id int, x int);`
			`commit;`
			`insert into test(id, x) values(1, 1000);`
			`commit;`

			`connect '$(DSN)' user tmp$c2765_admin password '123' role 'RDB$ADMIN';`
			`select current_user as who_am_i, current_role as what_is_my_role from rdb$database;`
			`--select * from test;`
			`commit;`

			`grant all on test to tmp$c2765_worker1;`
			`commit;`

			`connect '$(DSN)' user tmp$c2765_worker1 password '456';`
			`select current_user as who_am_i, current_role as what_is_my_role from rdb$database;`

			`-- all these statements should pass:`
			`set count on;`
			`select * from test;`
			`update test set id=-id;`
			`delete from test;`
			`insert into test(id,x) values(2, 2000);`
			`set count off;`
			`rollback;`


			`connect '$(DSN)' user tmp$c2765_admin password '123';`
			`select current_user as who_am_i, current_role as what_is_my_role from rdb$database;`
			`commit;`

			`grant all on test to tmp$c2765_worker2; -- should fail!`
			`commit;`

			`connect '$(DSN)' user tmp$c2765_worker2 password '789';`
			`select current_user as who_am_i, current_role as what_is_my_role from rdb$database;`
			`select * from test; -- should FAIL!`
			`commit;`

			`-- cleanup:`
			`-- ########`
			`connect '$(DSN)' user sysdba password 'masterkey';`
			`drop user tmp$c2765_admin;`
			`drop user tmp$c2765_worker1;`
			`drop user tmp$c2765_worker2;`
			`commit;`

			`"""`

			`act_2 = isql_act('db_2', test_script_2, substitutions=substitutions_2)`

			`expected_stdout_2 = """`
			`WHO_AM_I TMP$C2765_ADMIN`
			`WHAT_IS_MY_ROLE RDB$ADMIN`

			`WHO_AM_I TMP$C2765_WORKER1`
			`WHAT_IS_MY_ROLE NONE`
			`ID 1`
			`X 1000`

			`Records affected: 1`
			`Records affected: 1`
			`Records affected: 1`
			`Records affected: 1`

			`WHO_AM_I TMP$C2765_ADMIN`
			`WHAT_IS_MY_ROLE NONE`

			`WHO_AM_I TMP$C2765_WORKER2`
			`WHAT_IS_MY_ROLE NONE`

			`"""`
			`expected_stderr_2 = """`
			`Statement failed, SQLSTATE = 42000`
			`unsuccessful metadata update`
			`-GRANT failed`
			`-no SELECT privilege with grant option on table/view TEST`
			`Statement failed, SQLSTATE = 28000`
			`no permission for SELECT access to TABLE TEST`
			`-Effective user is TMP$C2765_WORKER2`
			`"""`

			`@pytest.mark.version('>=4.0')`
			`def test_core_2765_2(act_2: Action):`
			`act_2.expected_stdout = expected_stdout_2`
			`act_2.expected_stderr = expected_stderr_2`
			`act_2.execute()`
			`assert act_2.clean_expected_stderr == act_2.clean_stderr`
			`assert act_2.clean_expected_stdout == act_2.clean_stdout`