firebird-qa/tests/bugs/core_4821_test.py

#coding:utf-8
#
# id:           bugs.core_4821
# title:        grant create database to ROLE does not work: "no permission for CREATE access to DATABASE ..."
# decription:
#                   ::: NOTE ::: Test requires that databases.conf contains 'RemoteAccess = true' for security.db
#                   This line is added there by scenario '<QA_HOME>
#               undaily.bat' every time when check new FB snapshot.
#
#                   We make connection to security.db and create there user and role, with granting this role to user.
#                   (so, ROLE also is stored in the security.db).
#                   Then we grant privilege to create DB to just created role.
#                   After this we check that:
#                   * user can NOT create database if 'ROLE <this_role>' missed in the 'create database' statement;
#                   * user _CAN_ create database when issues: create database ... user ... password ... ROLE <this_role>
#
#                   Then we create backup of just created database and check that:
#                   * user can NOT restore it until specifying '-ROLE <this_role>' in gbak command line;
#                   * user _CAN_ restore database when issues: gbak -rep ... -user ... -pas ... -ROLE <this_role>;
#                   * the same pair of checks is performed for fbsvcmgr invocation;
#
#                   Finally, we connect again to security.db and drop <this_role>. After this restore must not be allowed
#                   even when "ROLE <this_role>" is specified in commands gbak or fbsvcmgr.
#
#                   Checked on:
#                       4.0.0.1713 SS: 5.250s.
#                       4.0.0.1346 SC: 5.734s.
#                       4.0.0.1691 CS: 9.875s.
#                       3.0.5.33218 SS: 4.313s.
#                       3.0.5.33084 SC: 4.031s.
#                       3.0.5.33212 CS: 7.672s.
#
#                  13.04.2021. Adapted for run both on Windows and Linux. Checked on:
#                     Windows: 3.0.8.33445, 4.0.0.2416
#                     Linux:   3.0.8.33426, 4.0.0.2416
#
#               [pcisar] 24.11.2021
#               This test FAILs because it's not possible to grant create database to role tmp$db_creator
#               although it exists (in test database):
#                Statement failed, SQLSTATE = 28000
#                unsuccessful metadata update
#                -GRANT failed
#                -SQL role TMP$DB_CREATOR does not exist
#                -in security database
#
# tracker_id:   CORE-4821
# min_versions: ['3.0.5']
# versions:     3.0.5
# qmid:         None

import pytest
import sys
from pathlib import Path
from firebird.qa import db_factory, python_act, Action, temp_file, user_factory, User

# version: 3.0.5
# resources: None

substitutions_1 = [('no permission for CREATE access to DATABASE .*',
                    'no permission for CREATE access to DATABASE'),
                   ('gbak: ERROR:failed to create database .*',
                    'gbak: ERROR:failed to create database'),
                   ('-failed to create database .*', '-failed to create database'),
                   ('CREATED_DB_NAME .*', 'CREATED_DB_NAME'),
                   ('FDB_RESTORED_USING_GBAK .*', 'FDB_RESTORED_USING_GBAK'),
                   ('FDB_RESTORED_USING_SMGR .*', 'FDB_RESTORED_USING_SMGR')]

init_script_1 = """"""

db_1 = db_factory(sql_dialect=3, init=init_script_1)

# test_script_1
#---
#
#  import os
#
#  os.environ["ISC_USER"] = user_name
#  os.environ["ISC_PASSWORD"] = user_password
#
#  this_db = db_conn.database_name
#  db_conn.close()
#
#  #--------------------------------------------
#
#  def flush_and_close( file_handle ):
#      # https://docs.python.org/2/library/os.html#os.fsync
#      # If you're starting with a Python file object f,
#      # first do f.flush(), and
#      # then do os.fsync(f.fileno()), to ensure that all internal buffers associated with f are written to disk.
#      global os
#
#      file_handle.flush()
#      if file_handle.mode not in ('r', 'rb') and file_handle.name != os.devnull:
#          # otherwise: "OSError: [Errno 9] Bad file descriptor"!
#          os.fsync(file_handle.fileno())
#      file_handle.close()
#
#  #--------------------------------------------
#
#  def cleanup( f_names_list ):
#      global os
#      for i in range(len( f_names_list )):
#         if type(f_names_list[i]) == file:
#            del_name = f_names_list[i].name
#         elif type(f_names_list[i]) == str:
#            del_name = f_names_list[i]
#         else:
#            print('Unrecognized type of element:', f_names_list[i], ' - can not be treated as file.')
#            print('type(f_names_list[i])=',type(f_names_list[i]))
#            del_name = None
#
#         if del_name and os.path.isfile( del_name ):
#             os.remove( del_name )
#
#  #--------------------------------------------
#
#  fdb_test1 = os.path.join(context['temp_directory'],'tmp_4821_test1.fdb')
#  fdb_test2 = os.path.join(context['temp_directory'],'tmp_4821_test2.fdb')
#  fbk_name = os.path.join(context['temp_directory'],'tmp_4821_test2.fbk')
#  fdb_restored_using_gbak = os.path.join(context['temp_directory'],'tmp_4821_restored.gbak.fdb')
#  fdb_restored_using_smgr = os.path.join(context['temp_directory'],'tmp_4821_restored.smgr.fdb')
#  fdb_restored_unexpected = os.path.join(context['temp_directory'],'tmp_4821_restored.wo_grant.fdb')
#
#  f_list = [fdb_test1, fdb_test2, fbk_name, fdb_restored_using_gbak, fdb_restored_using_smgr, fdb_restored_unexpected]
#  cleanup( f_list )
#
#  sql_init='''
#      set wng off;
#      set bail on;
#      set term ^;
#      execute block as
#      begin
#          execute statement 'drop role tmp$db_creator';
#          when any do begin end
#      end^
#      set term ;^
#      commit;
#      create role tmp$db_creator;
#      commit;
#      create or alter user tmp$c4821_boss password '123' using plugin Srp;
#      revoke all on all from tmp$c4821_boss;
#      grant create database to role tmp$db_creator;
#      grant tmp$db_creator to tmp$c4821_boss;
#      commit;
#      --show grants;
#  '''
#
#  runProgram('isql', [ 'localhost:security.db' ], sql_init)
#
#  sql_test='''
#      create database 'localhost:%(fdb_test1)s' user tmp$c4821_boss password '123';
#      select mon$database_name as created_db_name from mon$database;
#      rollback;
#      create database 'localhost:%(fdb_test2)s' user tmp$c4821_boss password '123' role tmp$db_creator;
#      set list on;
#      select mon$database_name as created_db_name from mon$database;
#  ''' % locals()
#
#  runProgram('isql', [ '-q' ], sql_test)
#
#  # Must PASS because user tmp$c4821_boss is the owner of this DB:
#  runProgram('gbak', [ '-b', 'localhost:' + fdb_test2, fbk_name, '-user', 'tmp$c4821_boss', '-pas', '123'] )
#
#  # Must FAIL because we do not specify role, with text:
#  # "gbak: ERROR:no permission for CREATE access to DATABASE ... / gbak: ERROR:failed to create database localhost:tmp_4821_restored.gbak.fdb"
#  runProgram('gbak', [ '-rep', fbk_name, 'localhost:'+fdb_restored_using_gbak, '-user', 'tmp$c4821_boss', '-pas', '123'] )
#
#  # Must PASS because we DO specify role:
#  runProgram('gbak', [ '-rep', fbk_name, 'localhost:'+fdb_restored_using_gbak, '-user', 'tmp$c4821_boss', '-pas', '123', '-role', 'tmp$db_creator'] )
#
#  runProgram('isql', [ 'localhost:'+fdb_restored_using_gbak ], 'set list on; select mon$database_name as fdb_restored_using_gbak from mon$database;')
#
#  # Must FAIL because we do not specify role, with text: "no permission for CREATE access to DATABASE ... / failed to create database tmp_4821_restored.smgr.fdb"
#  runProgram('fbsvcmgr', [ 'localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123', 'action_restore', 'res_replace', 'bkp_file', fbk_name, 'dbname', fdb_restored_using_smgr ] )
#
#  # Must PASS because we DO specify role:
#  runProgram('fbsvcmgr', [ 'localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123', 'role', 'tmp$db_creator', 'action_restore', 'res_replace', 'bkp_file', fbk_name, 'dbname', fdb_restored_using_smgr ] )
#
#  runProgram('isql', [ 'localhost:'+fdb_restored_using_smgr ], 'set list on; select mon$database_name as fdb_restored_using_smgr from mon$database;')
#
#
#  # ATTENTION: now we DROP role and check that after this action user tmp$c4821_boss will not be allowed to restore DB
#  #############################
#  runProgram('isql', [ 'localhost:security.db' ], 'drop role tmp$db_creator; commit;')
#
#  # Must FAIL because there is no more role which was allowed to create DB
#  # Error text: "gbak: ERROR:no permission for CREATE ... TMP_4821_RESTORED.WO_GRANT.FDB"
#  runProgram('gbak', [ '-rep', fbk_name, 'localhost:'+fdb_restored_unexpected, '-user', 'tmp$c4821_boss', '-pas', '123', '-role', 'tmp$db_creator'] )
#
#  # Must FAIL (because of the same reason), with text: "no permission for CREATE access to DATABASE TMP_4821_RESTORED.WO_GRANT.FDB"
#  runProgram('fbsvcmgr', [ 'localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123', 'role', 'tmp$db_creator', 'action_restore', 'res_replace', 'bkp_file', fbk_name, 'dbname', fdb_restored_unexpected ] )
#
#  # CLEANUP:
#  ##########
#
#  sql_fini='''
#      drop user tmp$c4821_boss using plugin Srp;
#      commit;
#  '''
#  runProgram('isql', [ 'localhost:security.db' ], sql_fini)
#
#  cleanup( f_list )
#
#---

act_1 = python_act('db_1', substitutions=substitutions_1)

expected_stdout_1 = """
    CREATED_DB_NAME                 /opt/scripts/qa-rundaily/dbg-repo/tmp/tmp_4821_test2.fdb
    FDB_RESTORED_USING_GBAK         /opt/scripts/qa-rundaily/dbg-repo/tmp/tmp_4821_restored.gbak.fdb
    FDB_RESTORED_USING_SMGR         /opt/scripts/qa-rundaily/dbg-repo/tmp/tmp_4821_restored.smgr.fdb
"""

expected_stderr_1 = """
    Statement failed, SQLSTATE = 28000
    no permission for CREATE access to DATABASE
    gbak: ERROR:no permission for CREATE access to DATABASE
    gbak: ERROR:failed to create database
    gbak:Exiting before completion due to errors
    no permission for CREATE access to DATABASE
    -failed to create database
    -Exiting before completion due to errors
    gbak: ERROR:no permission for CREATE access to DATABASE
    gbak: ERROR:failed to create database
    gbak:Exiting before completion due to errors
    no permission for CREATE access to DATABASE
    -failed to create database
    -Exiting before completion due to errors
"""

test_user_1 = user_factory(name='tmp$c4821_boss', password='123')

fdb_test1 = temp_file('tmp_4821_test1.fdb')
fdb_test2 = temp_file('tmp_4821_test2.fdb')
fbk_name = temp_file('tmp_4821_test2.fbk')
fdb_restored_using_gbak = temp_file('tmp_4821_restored.gbak.fdb')
fdb_restored_using_smgr = temp_file('tmp_4821_restored.smgr.fdb')
fdb_restored_unexpected = temp_file('tmp_4821_restored.no_grant.fdb')

@pytest.mark.version('>=3.0.5')
def test_1(act_1: Action, test_user_1: User, capsys, fdb_test1: Path, fdb_test2: Path,
           fbk_name: Path, fdb_restored_using_gbak: Path, fdb_restored_using_smgr: Path,
           fdb_restored_unexpected: Path):
    with act_1.test_role('tmp$db_creator'):
        with act_1.db.connect() as con:
            #con.execute_immediate('revoke all on all from tmp$c4821_boss')
            con.execute_immediate('grant create database to role tmp$db_creator')
            con.execute_immediate('grant tmp$db_creator to tmp$c4821_boss')
            con.commit()
        #
        sql_test = f"""
        create database 'localhost:{fdb_test1}' user tmp$c4821_boss password '123';
        select mon$database_name as created_db_name from mon$database;
        rollback;
        create database 'localhost:{fdb_test2}' user tmp$c4821_boss password '123' role tmp$db_creator;
        set list on;
        select mon$database_name as created_db_name from mon$database;
        """
        act_1.isql(switches=['-q'], input=sql_test)
        print(act_1.stdout)
        # Must PASS because user tmp$c4821_boss is the owner of this DB:
        act_1.reset()
        act_1.gbak(switches=['-b', '-user', 'tmp$c4821_boss', '-pas', '123',
                             f'localhost:{fdb_test2}', str(fbk_name)],
                   credentials=False)
        # Must FAIL because we do not specify role, with text:
        # "gbak: ERROR:no permission for CREATE access to DATABASE ... / gbak: ERROR:failed to create database localhost:tmp_4821_restored.gbak.fdb"
        act_1.reset()
        act_1.expected_stderr = "Must FAIL because we do not specify role"
        act_1.gbak(switches=['-rep', '-user', 'tmp$c4821_boss', '-pas', '123',
                             str(fbk_name), f'localhost:{fdb_restored_using_gbak}'],
                   credentials=False)
        print(act_1.stderr, file=sys.stderr)
        # Must PASS because we DO specify role:
        act_1.reset()
        act_1.gbak(switches=['-rep', '-user', 'tmp$c4821_boss', '-pas', '123', '-role', 'tmp$db_creator',
                             str(fbk_name), f'localhost:{fdb_restored_using_gbak}'],
                   credentials=False)
        #
        act_1.reset()
        act_1.isql(switches=['-user', act_1.db.user, '-password', act_1.db.password,
                             f'localhost:{fdb_restored_using_gbak}'], connect_db=False,
                   input='set list on; select mon$database_name as fdb_restored_using_gbak from mon$database;')
        print(act_1.stdout)
        # Must FAIL because we do not specify role, with text: "no permission for CREATE access to DATABASE ... / failed to create database tmp_4821_restored.smgr.fdb"
        act_1.reset()
        act_1.expected_stderr = "Must FAIL because we do not specify role"
        act_1.svcmgr(switches=['localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123',
                               'action_restore', 'res_replace', 'bkp_file', str(fbk_name),
                               'dbname', str(fdb_restored_using_smgr)], connect_mngr=False)
        print(act_1.stderr, file=sys.stderr)
        # Must PASS because we DO specify role:
        act_1.reset()
        act_1.svcmgr(switches=['localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123',
                               'role', 'tmp$db_creator',  'action_restore', 'res_replace',
                               'bkp_file', str(fbk_name), 'dbname', str(fdb_restored_using_smgr)],
                     connect_mngr=False)
        #
        act_1.reset()
        act_1.isql(switches=['-user', act_1.db.user, '-password', act_1.db.password,
                             f'localhost:{fdb_restored_using_gbak}'], connect_db=False,
                   input='set list on; select mon$database_name as fdb_restored_using_smgr from mon$database;')
        print(act_1.stdout)
        #
        act_1.reset()
        act_1.expected_stdout = expected_stdout_1
        act_1.expected_stderr = expected_stderr_1
        act_1.stdout = capsys.readouterr().out
        act_1.stderr = capsys.readouterr().err
        assert act_1.clean_stdout == act_1.clean_expected_stdout
        assert act_1.clean_stderr == act_1.clean_expected_stderr
Firebird engine tests 2021-04-26 20:07:00 +02:00			`#coding:utf-8`
			`#`
			`# id: bugs.core_4821`
			`# title: grant create database to ROLE does not work: "no permission for CREATE access to DATABASE ..."`
More python tests 2021-11-26 19:20:43 +01:00			`# decription:`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# ::: NOTE ::: Test requires that databases.conf contains 'RemoteAccess = true' for security.db`
			`# This line is added there by scenario '<QA_HOME>`
			`# undaily.bat' every time when check new FB snapshot.`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# We make connection to security.db and create there user and role, with granting this role to user.`
			`# (so, ROLE also is stored in the security.db).`
			`# Then we grant privilege to create DB to just created role.`
			`# After this we check that:`
			`# * user can NOT create database if 'ROLE <this_role>' missed in the 'create database' statement;`
			`# * user _CAN_ create database when issues: create database ... user ... password ... ROLE <this_role>`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# Then we create backup of just created database and check that:`
			`# * user can NOT restore it until specifying '-ROLE <this_role>' in gbak command line;`
			`# * user _CAN_ restore database when issues: gbak -rep ... -user ... -pas ... -ROLE <this_role>;`
			`# * the same pair of checks is performed for fbsvcmgr invocation;`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# Finally, we connect again to security.db and drop <this_role>. After this restore must not be allowed`
			`# even when "ROLE <this_role>" is specified in commands gbak or fbsvcmgr.`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# Checked on:`
			`# 4.0.0.1713 SS: 5.250s.`
			`# 4.0.0.1346 SC: 5.734s.`
			`# 4.0.0.1691 CS: 9.875s.`
			`# 3.0.5.33218 SS: 4.313s.`
			`# 3.0.5.33084 SC: 4.031s.`
			`# 3.0.5.33212 CS: 7.672s.`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# 13.04.2021. Adapted for run both on Windows and Linux. Checked on:`
			`# Windows: 3.0.8.33445, 4.0.0.2416`
			`# Linux: 3.0.8.33426, 4.0.0.2416`
More python tests 2021-11-26 19:20:43 +01:00			`#`
			`# [pcisar] 24.11.2021`
			`# This test FAILs because it's not possible to grant create database to role tmp$db_creator`
			`# although it exists (in test database):`
			`# Statement failed, SQLSTATE = 28000`
			`# unsuccessful metadata update`
			`# -GRANT failed`
			`# -SQL role TMP$DB_CREATOR does not exist`
			`# -in security database`
			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# tracker_id: CORE-4821`
			`# min_versions: ['3.0.5']`
			`# versions: 3.0.5`
			`# qmid: None`

			`import pytest`
More python tests 2021-11-26 19:20:43 +01:00			`import sys`
			`from pathlib import Path`
			`from firebird.qa import db_factory, python_act, Action, temp_file, user_factory, User`
Firebird engine tests 2021-04-26 20:07:00 +02:00
			`# version: 3.0.5`
			`# resources: None`

More python tests 2021-11-26 19:20:43 +01:00			`substitutions_1 = [('no permission for CREATE access to DATABASE .*',`
			`'no permission for CREATE access to DATABASE'),`
			`('gbak: ERROR:failed to create database .*',`
			`'gbak: ERROR:failed to create database'),`
			`('-failed to create database .*', '-failed to create database'),`
			`('CREATED_DB_NAME .*', 'CREATED_DB_NAME'),`
			`('FDB_RESTORED_USING_GBAK .*', 'FDB_RESTORED_USING_GBAK'),`
			`('FDB_RESTORED_USING_SMGR .*', 'FDB_RESTORED_USING_SMGR')]`
Firebird engine tests 2021-04-26 20:07:00 +02:00
			`init_script_1 = """"""`

			`db_1 = db_factory(sql_dialect=3, init=init_script_1)`

			`# test_script_1`
			`#---`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# import os`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# os.environ["ISC_USER"] = user_name`
			`# os.environ["ISC_PASSWORD"] = user_password`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# this_db = db_conn.database_name`
			`# db_conn.close()`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# #--------------------------------------------`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# def flush_and_close( file_handle ):`
			`# # https://docs.python.org/2/library/os.html#os.fsync`
			`# # If you're starting with a Python file object f,`
			`# # first do f.flush(), and`
			`# # then do os.fsync(f.fileno()), to ensure that all internal buffers associated with f are written to disk.`
			`# global os`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# file_handle.flush()`
			`# if file_handle.mode not in ('r', 'rb') and file_handle.name != os.devnull:`
			`# # otherwise: "OSError: [Errno 9] Bad file descriptor"!`
			`# os.fsync(file_handle.fileno())`
			`# file_handle.close()`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# #--------------------------------------------`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# def cleanup( f_names_list ):`
			`# global os`
			`# for i in range(len( f_names_list )):`
			`# if type(f_names_list[i]) == file:`
			`# del_name = f_names_list[i].name`
			`# elif type(f_names_list[i]) == str:`
			`# del_name = f_names_list[i]`
			`# else:`
			`# print('Unrecognized type of element:', f_names_list[i], ' - can not be treated as file.')`
			`# print('type(f_names_list[i])=',type(f_names_list[i]))`
			`# del_name = None`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# if del_name and os.path.isfile( del_name ):`
			`# os.remove( del_name )`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# #--------------------------------------------`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# fdb_test1 = os.path.join(context['temp_directory'],'tmp_4821_test1.fdb')`
			`# fdb_test2 = os.path.join(context['temp_directory'],'tmp_4821_test2.fdb')`
			`# fbk_name = os.path.join(context['temp_directory'],'tmp_4821_test2.fbk')`
			`# fdb_restored_using_gbak = os.path.join(context['temp_directory'],'tmp_4821_restored.gbak.fdb')`
			`# fdb_restored_using_smgr = os.path.join(context['temp_directory'],'tmp_4821_restored.smgr.fdb')`
			`# fdb_restored_unexpected = os.path.join(context['temp_directory'],'tmp_4821_restored.wo_grant.fdb')`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# f_list = [fdb_test1, fdb_test2, fbk_name, fdb_restored_using_gbak, fdb_restored_using_smgr, fdb_restored_unexpected]`
			`# cleanup( f_list )`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# sql_init='''`
			`# set wng off;`
			`# set bail on;`
			`# set term ^;`
			`# execute block as`
			`# begin`
			`# execute statement 'drop role tmp$db_creator';`
			`# when any do begin end`
			`# end^`
			`# set term ;^`
			`# commit;`
			`# create role tmp$db_creator;`
			`# commit;`
			`# create or alter user tmp$c4821_boss password '123' using plugin Srp;`
			`# revoke all on all from tmp$c4821_boss;`
			`# grant create database to role tmp$db_creator;`
			`# grant tmp$db_creator to tmp$c4821_boss;`
			`# commit;`
			`# --show grants;`
			`# '''`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# runProgram('isql', [ 'localhost:security.db' ], sql_init)`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# sql_test='''`
			`# create database 'localhost:%(fdb_test1)s' user tmp$c4821_boss password '123';`
			`# select mon$database_name as created_db_name from mon$database;`
			`# rollback;`
			`# create database 'localhost:%(fdb_test2)s' user tmp$c4821_boss password '123' role tmp$db_creator;`
			`# set list on;`
			`# select mon$database_name as created_db_name from mon$database;`
			`# ''' % locals()`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# runProgram('isql', [ '-q' ], sql_test)`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# # Must PASS because user tmp$c4821_boss is the owner of this DB:`
			`# runProgram('gbak', [ '-b', 'localhost:' + fdb_test2, fbk_name, '-user', 'tmp$c4821_boss', '-pas', '123'] )`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# # Must FAIL because we do not specify role, with text:`
			`# # "gbak: ERROR:no permission for CREATE access to DATABASE ... / gbak: ERROR:failed to create database localhost:tmp_4821_restored.gbak.fdb"`
			`# runProgram('gbak', [ '-rep', fbk_name, 'localhost:'+fdb_restored_using_gbak, '-user', 'tmp$c4821_boss', '-pas', '123'] )`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# # Must PASS because we DO specify role:`
			`# runProgram('gbak', [ '-rep', fbk_name, 'localhost:'+fdb_restored_using_gbak, '-user', 'tmp$c4821_boss', '-pas', '123', '-role', 'tmp$db_creator'] )`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# runProgram('isql', [ 'localhost:'+fdb_restored_using_gbak ], 'set list on; select mon$database_name as fdb_restored_using_gbak from mon$database;')`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# # Must FAIL because we do not specify role, with text: "no permission for CREATE access to DATABASE ... / failed to create database tmp_4821_restored.smgr.fdb"`
			`# runProgram('fbsvcmgr', [ 'localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123', 'action_restore', 'res_replace', 'bkp_file', fbk_name, 'dbname', fdb_restored_using_smgr ] )`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# # Must PASS because we DO specify role:`
			`# runProgram('fbsvcmgr', [ 'localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123', 'role', 'tmp$db_creator', 'action_restore', 'res_replace', 'bkp_file', fbk_name, 'dbname', fdb_restored_using_smgr ] )`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# runProgram('isql', [ 'localhost:'+fdb_restored_using_smgr ], 'set list on; select mon$database_name as fdb_restored_using_smgr from mon$database;')`
More python tests 2021-11-26 19:20:43 +01:00			`#`
			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# # ATTENTION: now we DROP role and check that after this action user tmp$c4821_boss will not be allowed to restore DB`
			`# #############################`
			`# runProgram('isql', [ 'localhost:security.db' ], 'drop role tmp$db_creator; commit;')`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# # Must FAIL because there is no more role which was allowed to create DB`
			`# # Error text: "gbak: ERROR:no permission for CREATE ... TMP_4821_RESTORED.WO_GRANT.FDB"`
			`# runProgram('gbak', [ '-rep', fbk_name, 'localhost:'+fdb_restored_unexpected, '-user', 'tmp$c4821_boss', '-pas', '123', '-role', 'tmp$db_creator'] )`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# # Must FAIL (because of the same reason), with text: "no permission for CREATE access to DATABASE TMP_4821_RESTORED.WO_GRANT.FDB"`
			`# runProgram('fbsvcmgr', [ 'localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123', 'role', 'tmp$db_creator', 'action_restore', 'res_replace', 'bkp_file', fbk_name, 'dbname', fdb_restored_unexpected ] )`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# # CLEANUP:`
			`# ##########`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# sql_fini='''`
			`# drop user tmp$c4821_boss using plugin Srp;`
			`# commit;`
			`# '''`
			`# runProgram('isql', [ 'localhost:security.db' ], sql_fini)`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`# cleanup( f_list )`
More python tests 2021-11-26 19:20:43 +01:00			`#`
Firebird engine tests 2021-04-26 20:07:00 +02:00			`#---`
More python tests 2021-11-26 19:20:43 +01:00
			`act_1 = python_act('db_1', substitutions=substitutions_1)`
Firebird engine tests 2021-04-26 20:07:00 +02:00
			`expected_stdout_1 = """`
			`CREATED_DB_NAME /opt/scripts/qa-rundaily/dbg-repo/tmp/tmp_4821_test2.fdb`
			`FDB_RESTORED_USING_GBAK /opt/scripts/qa-rundaily/dbg-repo/tmp/tmp_4821_restored.gbak.fdb`
			`FDB_RESTORED_USING_SMGR /opt/scripts/qa-rundaily/dbg-repo/tmp/tmp_4821_restored.smgr.fdb`
More python tests 2021-11-26 19:20:43 +01:00			`"""`

Firebird engine tests 2021-04-26 20:07:00 +02:00			`expected_stderr_1 = """`
			`Statement failed, SQLSTATE = 28000`
			`no permission for CREATE access to DATABASE`
			`gbak: ERROR:no permission for CREATE access to DATABASE`
			`gbak: ERROR:failed to create database`
			`gbak:Exiting before completion due to errors`
			`no permission for CREATE access to DATABASE`
			`-failed to create database`
			`-Exiting before completion due to errors`
			`gbak: ERROR:no permission for CREATE access to DATABASE`
			`gbak: ERROR:failed to create database`
			`gbak:Exiting before completion due to errors`
			`no permission for CREATE access to DATABASE`
			`-failed to create database`
More python tests 2021-11-26 19:20:43 +01:00			`-Exiting before completion due to errors`
			`"""`
Firebird engine tests 2021-04-26 20:07:00 +02:00
More python tests 2021-11-26 19:20:43 +01:00			`test_user_1 = user_factory(name='tmp$c4821_boss', password='123')`
Firebird engine tests 2021-04-26 20:07:00 +02:00
More python tests 2021-11-26 19:20:43 +01:00			`fdb_test1 = temp_file('tmp_4821_test1.fdb')`
			`fdb_test2 = temp_file('tmp_4821_test2.fdb')`
			`fbk_name = temp_file('tmp_4821_test2.fbk')`
			`fdb_restored_using_gbak = temp_file('tmp_4821_restored.gbak.fdb')`
			`fdb_restored_using_smgr = temp_file('tmp_4821_restored.smgr.fdb')`
			`fdb_restored_unexpected = temp_file('tmp_4821_restored.no_grant.fdb')`
Firebird engine tests 2021-04-26 20:07:00 +02:00
More python tests 2021-11-26 19:20:43 +01:00			`@pytest.mark.version('>=3.0.5')`
			`def test_1(act_1: Action, test_user_1: User, capsys, fdb_test1: Path, fdb_test2: Path,`
			`fbk_name: Path, fdb_restored_using_gbak: Path, fdb_restored_using_smgr: Path,`
			`fdb_restored_unexpected: Path):`
			`with act_1.test_role('tmp$db_creator'):`
			`with act_1.db.connect() as con:`
			`#con.execute_immediate('revoke all on all from tmp$c4821_boss')`
			`con.execute_immediate('grant create database to role tmp$db_creator')`
			`con.execute_immediate('grant tmp$db_creator to tmp$c4821_boss')`
			`con.commit()`
			`#`
			`sql_test = f"""`
			`create database 'localhost:{fdb_test1}' user tmp$c4821_boss password '123';`
			`select mon$database_name as created_db_name from mon$database;`
			`rollback;`
			`create database 'localhost:{fdb_test2}' user tmp$c4821_boss password '123' role tmp$db_creator;`
			`set list on;`
			`select mon$database_name as created_db_name from mon$database;`
			`"""`
			`act_1.isql(switches=['-q'], input=sql_test)`
			`print(act_1.stdout)`
			`# Must PASS because user tmp$c4821_boss is the owner of this DB:`
			`act_1.reset()`
			`act_1.gbak(switches=['-b', '-user', 'tmp$c4821_boss', '-pas', '123',`
			`f'localhost:{fdb_test2}', str(fbk_name)],`
			`credentials=False)`
			`# Must FAIL because we do not specify role, with text:`
			`# "gbak: ERROR:no permission for CREATE access to DATABASE ... / gbak: ERROR:failed to create database localhost:tmp_4821_restored.gbak.fdb"`
			`act_1.reset()`
			`act_1.expected_stderr = "Must FAIL because we do not specify role"`
			`act_1.gbak(switches=['-rep', '-user', 'tmp$c4821_boss', '-pas', '123',`
			`str(fbk_name), f'localhost:{fdb_restored_using_gbak}'],`
			`credentials=False)`
			`print(act_1.stderr, file=sys.stderr)`
			`# Must PASS because we DO specify role:`
			`act_1.reset()`
			`act_1.gbak(switches=['-rep', '-user', 'tmp$c4821_boss', '-pas', '123', '-role', 'tmp$db_creator',`
			`str(fbk_name), f'localhost:{fdb_restored_using_gbak}'],`
			`credentials=False)`
			`#`
			`act_1.reset()`
			`act_1.isql(switches=['-user', act_1.db.user, '-password', act_1.db.password,`
			`f'localhost:{fdb_restored_using_gbak}'], connect_db=False,`
			`input='set list on; select mon$database_name as fdb_restored_using_gbak from mon$database;')`
			`print(act_1.stdout)`
			`# Must FAIL because we do not specify role, with text: "no permission for CREATE access to DATABASE ... / failed to create database tmp_4821_restored.smgr.fdb"`
			`act_1.reset()`
			`act_1.expected_stderr = "Must FAIL because we do not specify role"`
			`act_1.svcmgr(switches=['localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123',`
			`'action_restore', 'res_replace', 'bkp_file', str(fbk_name),`
			`'dbname', str(fdb_restored_using_smgr)], connect_mngr=False)`
			`print(act_1.stderr, file=sys.stderr)`
			`# Must PASS because we DO specify role:`
			`act_1.reset()`
			`act_1.svcmgr(switches=['localhost:service_mgr', 'user', 'tmp$c4821_boss', 'password', '123',`
			`'role', 'tmp$db_creator', 'action_restore', 'res_replace',`
			`'bkp_file', str(fbk_name), 'dbname', str(fdb_restored_using_smgr)],`
			`connect_mngr=False)`
			`#`
			`act_1.reset()`
			`act_1.isql(switches=['-user', act_1.db.user, '-password', act_1.db.password,`
			`f'localhost:{fdb_restored_using_gbak}'], connect_db=False,`
			`input='set list on; select mon$database_name as fdb_restored_using_smgr from mon$database;')`
			`print(act_1.stdout)`
			`#`
			`act_1.reset()`
			`act_1.expected_stdout = expected_stdout_1`
			`act_1.expected_stderr = expected_stderr_1`
			`act_1.stdout = capsys.readouterr().out`
			`act_1.stderr = capsys.readouterr().err`
			`assert act_1.clean_stdout == act_1.clean_expected_stdout`
			`assert act_1.clean_stderr == act_1.clean_expected_stderr`