test_oat_hooks \

/log/

/results/

/tmp_check/

MODULE_big = test_oat_hooks

OBJS = \

$(WIN32RES) \

test_oat_hooks.o

PGFILEDESC = "test_oat_hooks - example use of object access hooks"

REGRESS = test_oat_hooks

REGRESS_OPTS = --temp-config=$(top_srcdir)/src/test/modules/test_oat_hooks/test_oat_hooks.conf

NO_INSTALLCHECK = 1

ifdef USE_PGXS

PG_CONFIG = pg_config

PGXS := $(shell $(PG_CONFIG) --pgxs)

include $(PGXS)

else

subdir = src/test/modules/test_oat_hooks

top_builddir = ../../../..

include $(top_builddir)/src/Makefile.global

include $(top_srcdir)/contrib/contrib-global.mk

OVERVIEW

========

This test module, "test_oat_hooks", is an example of how to use the object

access hooks (OAT) to enforce mandatory access controls (MAC).

The testing strategy is as follows: When this module loads, it registers hooks

of various types. (See below.) GUCs are defined to control each hook,

determining whether the hook allows or denies actions for which it fires. A

single additional GUC controls the verbosity of the hooks. GUCs default to

permissive/quiet, which allows the module to load without generating noise in

the log or denying any activity in the run-up to the regression test beginning.

When the test begins, it uses SET commands to turn on logging and to control

each hook's permissive/restrictive behavior. Various SQL statements are run

under both superuser and ordinary user permissions. The output is compared

against the expected output to verify that the hooks behaved and fired in the

order by expect.

Because users may care about the firing order of other system hooks relative to

OAT hooks, ProcessUtility hooks and ExecutorCheckPerms hooks are also

registered by this module, with their own logging and allow/deny behavior.

SUSET test configuration GUCs

=============================

The following configuration parameters (GUCs) control this test module's Object

Access Type (OAT), Process Utility and Executor Check Permissions hooks. The

general pattern is that each hook has a corresponding GUC which controls

whether the hook will allow or deny operations for which the hook gets called.

A real-world OAT hook should certainly provide more fine-grained conrol than

merely "allow-all" vs. "deny-all", but for testing this is sufficient.

Note that even when these hooks allow an action, the core permissions system

may still refuse the action. The firing order of the hooks relative to the

core permissions system can be inferred from which NOTICE messages get emitted

before an action is refused.

Each hook applies the allow vs. deny setting to all operations performed by

non-superusers.

- test_oat_hooks.deny_set_variable

Controls whether the object_access_hook_str MAC function rejects attempts to

set a configuration parameter.

- test_oat_hooks.deny_alter_system

Controls whether the object_access_hook_str MAC function rejects attempts to

alter system set a configuration parameter.

- test_oat_hooks.deny_object_access

Controls whether the object_access_hook MAC function rejects all operations

for which it is called.

- test_oat_hooks.deny_exec_perms

Controls whether the exec_check_perms MAC function rejects all operations for

which it is called.

- test_oat_hooks.deny_utility_commands

Controls whether the ProcessUtility_hook function rejects all operations for

which it is called.

- test_oat_hooks.audit

Controls whether each hook logs NOTICE messages for each attempt, along with

success or failure status. Note that clearing or setting this GUC may itself

generate NOTICE messages appearing before but not after, or after but not

before, the new setting takes effect.

Functions

=========

The module registers hooks by the following names:

- REGRESS_object_access_hook

- REGRESS_object_access_hook_str

- REGRESS_exec_check_perms

- REGRESS_utility_command

-- SET commands fire both the ProcessUtility_hook and the

-- object_access_hook_str. Since the auditing GUC starts out false, we miss the

-- initial "attempting" audit message from the ProcessUtility_hook, but we

-- should thereafter see the audit messages

SET test_oat_hooks.audit = true;

NOTICE: in object_access_hook_str: superuser attempting alter (set) [test_oat_hooks.audit]

NOTICE: in object_access_hook_str: superuser finished alter (set) [test_oat_hooks.audit]

NOTICE: in process utility: superuser finished set

-- Create objects for use in the test

CREATE USER regress_test_user;

NOTICE: in process utility: superuser attempting CreateRoleStmt

NOTICE: in object access: superuser attempting create (subId=0) [explicit]

NOTICE: in object access: superuser finished create (subId=0) [explicit]

NOTICE: in process utility: superuser finished CreateRoleStmt

CREATE TABLE regress_test_table (t text);

NOTICE: in process utility: superuser attempting CreateStmt

NOTICE: in object access: superuser attempting namespace search (subId=0) [no report on violation, allowed]

LINE 1: CREATE TABLE regress_test_table (t text);

^

NOTICE: in object access: superuser finished namespace search (subId=0) [no report on violation, allowed]

LINE 1: CREATE TABLE regress_test_table (t text);

^

NOTICE: in object access: superuser attempting create (subId=0) [explicit]

NOTICE: in object access: superuser finished create (subId=0) [explicit]

NOTICE: in object access: superuser attempting create (subId=0) [explicit]

NOTICE: in object access: superuser finished create (subId=0) [explicit]

NOTICE: in object access: superuser attempting create (subId=0) [explicit]

NOTICE: in object access: superuser finished create (subId=0) [explicit]

NOTICE: in object access: superuser attempting create (subId=0) [internal]

NOTICE: in object access: superuser finished create (subId=0) [internal]

NOTICE: in object access: superuser attempting create (subId=0) [internal]

NOTICE: in object access: superuser finished create (subId=0) [internal]

NOTICE: in process utility: superuser finished CreateStmt

GRANT SELECT ON Table regress_test_table TO public;

NOTICE: in process utility: superuser attempting GrantStmt

NOTICE: in process utility: superuser finished GrantStmt

CREATE FUNCTION regress_test_func (t text) RETURNS text AS $$

SELECT $1;

$$ LANGUAGE sql;

NOTICE: in process utility: superuser attempting CreateFunctionStmt

NOTICE: in object access: superuser attempting create (subId=0) [explicit]

NOTICE: in object access: superuser finished create (subId=0) [explicit]

NOTICE: in process utility: superuser finished CreateFunctionStmt

GRANT EXECUTE ON FUNCTION regress_test_func (text) TO public;

NOTICE: in process utility: superuser attempting GrantStmt

NOTICE: in process utility: superuser finished GrantStmt

-- Do a few things as superuser

SELECT * FROM regress_test_table;

NOTICE: in executor check perms: superuser attempting execute

NOTICE: in executor check perms: superuser finished execute

t

---

(0 rows)

SELECT regress_test_func('arg');

NOTICE: in executor check perms: superuser attempting execute

NOTICE: in executor check perms: superuser finished execute

regress_test_func

-------------------

arg

(1 row)

SET work_mem = 8192;

NOTICE: in process utility: superuser attempting set

NOTICE: in object_access_hook_str: superuser attempting alter (set) [work_mem]

NOTICE: in object_access_hook_str: superuser finished alter (set) [work_mem]

NOTICE: in process utility: superuser finished set

RESET work_mem;

NOTICE: in process utility: superuser attempting set

NOTICE: in object_access_hook_str: superuser attempting alter (set) [work_mem]

NOTICE: in object_access_hook_str: superuser finished alter (set) [work_mem]

NOTICE: in process utility: superuser finished set

ALTER SYSTEM SET work_mem = 8192;

NOTICE: in process utility: superuser attempting alter system

NOTICE: in object_access_hook_str: superuser attempting alter (alter system set) [work_mem]

NOTICE: in object_access_hook_str: superuser finished alter (alter system set) [work_mem]

NOTICE: in process utility: superuser finished alter system

ALTER SYSTEM RESET work_mem;

NOTICE: in process utility: superuser attempting alter system

NOTICE: in object_access_hook_str: superuser attempting alter (alter system set) [work_mem]

NOTICE: in object_access_hook_str: superuser finished alter (alter system set) [work_mem]

NOTICE: in process utility: superuser finished alter system

-- Do those same things as non-superuser

SET SESSION AUTHORIZATION regress_test_user;

NOTICE: in process utility: superuser attempting set

NOTICE: in object_access_hook_str: non-superuser attempting alter (set) [session_authorization]

NOTICE: in object_access_hook_str: non-superuser finished alter (set) [session_authorization]

NOTICE: in process utility: non-superuser finished set

SELECT * FROM regress_test_table;

NOTICE: in object access: non-superuser attempting namespace search (subId=0) [no report on violation, allowed]

LINE 1: SELECT * FROM regress_test_table;

^

NOTICE: in object access: non-superuser finished namespace search (subId=0) [no report on violation, allowed]

LINE 1: SELECT * FROM regress_test_table;

^

NOTICE: in executor check perms: non-superuser attempting execute

NOTICE: in executor check perms: non-superuser finished execute

t

---

(0 rows)

SELECT regress_test_func('arg');

NOTICE: in executor check perms: non-superuser attempting execute

NOTICE: in executor check perms: non-superuser finished execute

regress_test_func

-------------------

arg

(1 row)

SET work_mem = 8192;

NOTICE: in process utility: non-superuser attempting set

NOTICE: in object_access_hook_str: non-superuser attempting alter (set) [work_mem]

NOTICE: in object_access_hook_str: non-superuser finished alter (set) [work_mem]

NOTICE: in process utility: non-superuser finished set

RESET work_mem;

NOTICE: in process utility: non-superuser attempting set

NOTICE: in object_access_hook_str: non-superuser attempting alter (set) [work_mem]

NOTICE: in object_access_hook_str: non-superuser finished alter (set) [work_mem]

NOTICE: in process utility: non-superuser finished set

ALTER SYSTEM SET work_mem = 8192;

NOTICE: in process utility: non-superuser attempting alter system

ERROR: must be superuser to execute ALTER SYSTEM command

ALTER SYSTEM RESET work_mem;

NOTICE: in process utility: non-superuser attempting alter system

ERROR: must be superuser to execute ALTER SYSTEM command

RESET SESSION AUTHORIZATION;

NOTICE: in process utility: non-superuser attempting set

NOTICE: in object_access_hook_str: superuser attempting alter (set) [session_authorization]

NOTICE: in object_access_hook_str: superuser finished alter (set) [session_authorization]

NOTICE: in process utility: superuser finished set

-- Turn off non-superuser permissions

SET test_oat_hooks.deny_set_variable = true;

NOTICE: in process utility: superuser attempting set

NOTICE: in object_access_hook_str: superuser attempting alter (set) [test_oat_hooks.deny_set_variable]

NOTICE: in object_access_hook_str: superuser finished alter (set) [test_oat_hooks.deny_set_variable]

NOTICE: in process utility: superuser finished set

SET test_oat_hooks.deny_alter_system = true;

NOTICE: in process utility: superuser attempting set

NOTICE: in object_access_hook_str: superuser attempting alter (set) [test_oat_hooks.deny_alter_system]

NOTICE: in object_access_hook_str: superuser finished alter (set) [test_oat_hooks.deny_alter_system]

NOTICE: in process utility: superuser finished set

SET test_oat_hooks.deny_object_access = true;

NOTICE: in process utility: superuser attempting set

NOTICE: in object_access_hook_str: superuser attempting alter (set) [test_oat_hooks.deny_object_access]

NOTICE: in object_access_hook_str: superuser finished alter (set) [test_oat_hooks.deny_object_access]

NOTICE: in process utility: superuser finished set

SET test_oat_hooks.deny_exec_perms = true;

NOTICE: in process utility: superuser attempting set

NOTICE: in object_access_hook_str: superuser attempting alter (set) [test_oat_hooks.deny_exec_perms]

NOTICE: in object_access_hook_str: superuser finished alter (set) [test_oat_hooks.deny_exec_perms]

NOTICE: in process utility: superuser finished set

SET test_oat_hooks.deny_utility_commands = true;

NOTICE: in process utility: superuser attempting set

NOTICE: in object_access_hook_str: superuser attempting alter (set) [test_oat_hooks.deny_utility_commands]

NOTICE: in object_access_hook_str: superuser finished alter (set) [test_oat_hooks.deny_utility_commands]

NOTICE: in process utility: superuser finished set

-- Try again as non-superuser with permisisons denied

SET SESSION AUTHORIZATION regress_test_user;

NOTICE: in process utility: superuser attempting set

NOTICE: in object_access_hook_str: non-superuser attempting alter (set) [session_authorization]

ERROR: permission denied: set session_authorization

SELECT * FROM regress_test_table;

NOTICE: in object access: superuser attempting namespace search (subId=0) [no report on violation, allowed]

LINE 1: SELECT * FROM regress_test_table;

^

NOTICE: in object access: superuser finished namespace search (subId=0) [no report on violation, allowed]

LINE 1: SELECT * FROM regress_test_table;

^

NOTICE: in executor check perms: superuser attempting execute

NOTICE: in executor check perms: superuser finished execute

t

---

(0 rows)

SELECT regress_test_func('arg');

NOTICE: in executor check perms: superuser attempting execute

NOTICE: in executor check perms: superuser finished execute

regress_test_func

-------------------

arg

(1 row)

SET work_mem = 8192;

NOTICE: in process utility: superuser attempting set

NOTICE: in object_access_hook_str: superuser attempting alter (set) [work_mem]

NOTICE: in object_access_hook_str: superuser finished alter (set) [work_mem]

NOTICE: in process utility: superuser finished set

RESET work_mem;

NOTICE: in process utility: superuser attempting set

NOTICE: in object_access_hook_str: superuser attempting alter (set) [work_mem]

NOTICE: in object_access_hook_str: superuser finished alter (set) [work_mem]

NOTICE: in process utility: superuser finished set

ALTER SYSTEM SET work_mem = 8192;

NOTICE: in process utility: superuser attempting alter system

NOTICE: in object_access_hook_str: superuser attempting alter (alter system set) [work_mem]

NOTICE: in object_access_hook_str: superuser finished alter (alter system set) [work_mem]

NOTICE: in process utility: superuser finished alter system

ALTER SYSTEM RESET work_mem;

NOTICE: in process utility: superuser attempting alter system

NOTICE: in object_access_hook_str: superuser attempting alter (alter system set) [work_mem]

NOTICE: in object_access_hook_str: superuser finished alter (alter system set) [work_mem]

NOTICE: in process utility: superuser finished alter system

RESET SESSION AUTHORIZATION;

NOTICE: in process utility: superuser attempting set

NOTICE: in object_access_hook_str: superuser attempting alter (set) [session_authorization]

NOTICE: in object_access_hook_str: superuser finished alter (set) [session_authorization]

NOTICE: in process utility: superuser finished set

SET test_oat_hooks.audit = false;

NOTICE: in process utility: superuser attempting set

SET test_oat_hooks.audit = true;

CREATE USER regress_test_user;

CREATE TABLE regress_test_table (t text);

GRANT SELECT ON Table regress_test_table TO public;

CREATE FUNCTION regress_test_func (t text) RETURNS text AS $$

SELECT $1;

$$ LANGUAGE sql;

GRANT EXECUTE ON FUNCTION regress_test_func (text) TO public;

SELECT * FROM regress_test_table;

SELECT regress_test_func('arg');

SET work_mem = 8192;

RESET work_mem;

ALTER SYSTEM SET work_mem = 8192;

ALTER SYSTEM RESET work_mem;

SET SESSION AUTHORIZATION regress_test_user;

SELECT * FROM regress_test_table;

SELECT regress_test_func('arg');

SET work_mem = 8192;

RESET work_mem;

ALTER SYSTEM SET work_mem = 8192;

ALTER SYSTEM RESET work_mem;

RESET SESSION AUTHORIZATION;

SET test_oat_hooks.deny_set_variable = true;

SET test_oat_hooks.deny_alter_system = true;

SET test_oat_hooks.deny_object_access = true;

SET test_oat_hooks.deny_exec_perms = true;

SET test_oat_hooks.deny_utility_commands = true;

SET SESSION AUTHORIZATION regress_test_user;

SELECT * FROM regress_test_table;

SELECT regress_test_func('arg');

SET work_mem = 8192;

RESET work_mem;

ALTER SYSTEM SET work_mem = 8192;

ALTER SYSTEM RESET work_mem;

RESET SESSION AUTHORIZATION;

SET test_oat_hooks.audit = false;