From 7debe5897436a84522ad2595ec7e553de3f114d7 Mon Sep 17 00:00:00 2001 From: Robins Tharakan Date: Mon, 18 Mar 2013 13:24:52 +0530 Subject: [PATCH] Add regression tests for ROLE (USER) --- src/test/regress/expected/user.out | 331 ++++++++++++++++++++++++++++++++++ src/test/regress/parallel_schedule | 2 +- src/test/regress/sql/user.sql | 342 ++++++++++++++++++++++++++++++++++++ 3 files changed, 674 insertions(+), 1 deletion(-) create mode 100644 src/test/regress/expected/user.out create mode 100644 src/test/regress/sql/user.sql diff --git a/src/test/regress/expected/user.out b/src/test/regress/expected/user.out new file mode 100644 index 0000000..bd86204 --- /dev/null +++ b/src/test/regress/expected/user.out @@ -0,0 +1,331 @@ +-- +-- USER (ROLE) +-- Regression tests to check for ROLE related operations +-- +-- Should work. SET configuration during ALTER ROLE +CREATE ROLE role_ro1; +ALTER ROLE role_ro1 SET SEED=0.5; +DROP ROLE role_ro1; +-- Should fail. Can't ALTER ROLE if it does not exist +ALTER ROLE asdf SUPERUSER; +ERROR: role "asdf" does not exist +ALTER ROLE asdf SET SEED=0.5; +ERROR: role "asdf" does not exist +-- Should fail. Can't CREATE SUPERUSER if not self a SUPERUSER +CREATE ROLE role_ro2; +SET ROLE role_ro2; +CREATE ROLE role_ro3 SUPERUSER; +ERROR: must be superuser to create superusers +RESET ROLE; +DROP ROLE role_ro2; +-- Should fail. Can't ALTER SUPERUSER if not self a SUPERUSER +CREATE ROLE role_ro2; +CREATE ROLE role_ro3; +SET ROLE role_ro2; +ALTER ROLE role_ro3 SUPERUSER; +ERROR: must be superuser to alter superusers +RESET ROLE; +DROP ROLE role_ro3; +DROP ROLE role_ro2; +-- Should fail. Can't ALTER ROLE into a SUPERUSER if not self a SUPERUSER +CREATE ROLE role_ro4; +CREATE ROLE role_ro5; +SET ROLE role_ro4; +ALTER ROLE role_ro5 SUPERUSER; +ERROR: must be superuser to alter superusers +RESET ROLE; +DROP ROLE role_ro5; +DROP ROLE role_ro4; +-- Should fail. Can't ALTER ROLE on existing SUPERUSER if not self a SUPERUSER +CREATE ROLE role_ro6 SUPERUSER; +CREATE ROLE role_ro7; +SET ROLE role_ro7; +ALTER ROLE role_ro6 NOSUPERUSER; +ERROR: must be superuser to alter superusers +ALTER ROLE role_ro6 SET SEED=0.5; +ERROR: must be superuser to alter superusers +RESET ROLE; +DROP ROLE role_ro7; +DROP ROLE role_ro6; +-- Should fail. Can't ALTER another ROLE without CREATE ROLE privilege +CREATE ROLE role_ro7; +CREATE ROLE role_ro8; +SET ROLE role_ro8; +ALTER ROLE role_ro7 SET SEED = 0.5; +ERROR: permission denied +ALTER ROLE role_ro7 VALID UNTIL '2030/1/1'; +ERROR: permission denied +RESET ROLE; +DROP ROLE role_ro8; +DROP ROLE role_ro7; +-- Should work. Do an ALTER ROLE SET on a database variable +CREATE ROLE role_ro9; +CREATE SCHEMA schema_ro9; +SET ROLE role_ro9; +ALTER ROLE role_ro9 SET search_path TO schema_ro9, public; +RESET ROLE; +DROP SCHEMA schema_ro9; +DROP ROLE role_ro9; +-- Should fail. ALTER ROLE on valid DB entities but non-existent roles +CREATE SCHEMA schema_ro11; +ALTER ROLE schema_ro11 SET search_path TO schema_ro11, public; +ERROR: role "schema_ro11" does not exist +DROP SCHEMA schema_ro11; +-- Should fail. Can't ALTER ROLE on REPLICATION user if not self a SUPERUSER +CREATE ROLE role_ro12; +CREATE ROLE role_ro13 WITH REPLICATION; +SET ROLE role_ro12; +ALTER ROLE role_ro13 SET SEED = 0.5; +ERROR: permission denied +ALTER ROLE role_ro13 NOREPLICATION; +ERROR: must be superuser to alter replication users +DROP ROLE role_ro13; +ERROR: permission denied to drop role +RESET ROLE; +DROP ROLE role_ro13; +DROP ROLE role_ro12; +-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD +CREATE ROLE role_ro14; +ALTER ROLE role_ro14 WITH ENCRYPTED PASSWORD 'abc'; +DROP ROLE role_ro14; +CREATE ROLE role_ro15; +ALTER ROLE role_ro15 WITH UNENCRYPTED PASSWORD 'abc'; +DROP ROLE role_ro15; +-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value +CREATE ROLE role_ro16; +ALTER ROLE role_ro16 WITH ENCRYPTED PASSWORD; +ERROR: syntax error at or near ";" +LINE 1: ALTER ROLE role_ro16 WITH ENCRYPTED PASSWORD; + ^ +DROP ROLE role_ro16; +CREATE ROLE role_ro17; +ALTER ROLE role_ro17 WITH UNENCRYPTED PASSWORD; +ERROR: syntax error at or near ";" +LINE 1: ALTER ROLE role_ro17 WITH UNENCRYPTED PASSWORD; + ^ +DROP ROLE role_ro17; +-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED +CREATE ROLE role_ro18; +ALTER ROLE role_ro18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc'; +ERROR: syntax error at or near "UNENCRYPTED" +LINE 1: ALTER ROLE role_ro18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'ab... + ^ +DROP ROLE role_ro18; +-- Should fail. ALTER ROLE with both INHERIT / NOINHERIT +CREATE ROLE role_ro19; +ALTER ROLE role_ro19 WITH INHERIT NOINHERIT; +ERROR: conflicting or redundant options +DROP ROLE role_ro19; +-- Should fail. ALTER ROLE with both CREATEDB / NOCREATEDB +CREATE ROLE role_ro20; +ALTER ROLE role_ro20 WITH CREATEDB NOCREATEDB; +ERROR: conflicting or redundant options +DROP ROLE role_ro20; +-- Should fail. ALTER ROLE with both LOGIN / NOLOGIN +CREATE ROLE role_ro21; +ALTER ROLE role_ro21 WITH LOGIN NOLOGIN; +ERROR: conflicting or redundant options +DROP ROLE role_ro21; +-- Should fail. ALTER ROLE with both CREATEROLE / NOCREATEROLE +CREATE ROLE role_ro22; +ALTER ROLE role_ro22 WITH CREATEROLE NOCREATEROLE; +ERROR: conflicting or redundant options +DROP ROLE role_ro22; +-- Should fail. ALTER ROLE with both REPLICATION / NOREPLICATION +CREATE ROLE role_ro23; +ALTER ROLE role_ro23 WITH REPLICATION NOREPLICATION; +ERROR: conflicting or redundant options +DROP ROLE role_ro23; +-- Should fail. ALTER ROLE with CONNECTION LIMIT 0 +CREATE ROLE role_ro24; +ALTER ROLE role_ro24 WITH CONNECTION LIMIT 0; +DROP ROLE role_ro24; +-- Should fail. ALTER ROLE with VALID UNTIL without a value +CREATE ROLE role_ro25; +ALTER ROLE role_ro25 VALID UNTIL; +ERROR: syntax error at or near ";" +LINE 1: ALTER ROLE role_ro25 VALID UNTIL; + ^ +DROP ROLE role_ro25; +-- Should fail. ALTER ROLE with invalid option +CREATE ROLE role_ro26; +ALTER ROLE role_ro26 ASDF; +ERROR: unrecognized role option "asdf" +LINE 1: ALTER ROLE role_ro26 ASDF; + ^ +DROP ROLE role_ro26; +-- Should work. ALTER ROLE with valid values +CREATE ROLE role_ro27; +ALTER ROLE role_ro27 WITH VALID UNTIL '2030/1/1' INHERIT LOGIN REPLICATION + CREATEROLE CREATEDB SUPERUSER ENCRYPTED PASSWORD 'abc' CONNECTION LIMIT 5; +DROP ROLE role_ro27; +-- Should work. ALTER ROLE with SET and valid values +CREATE ROLE role_ro28; +ALTER ROLE role_ro28 SET SEED = 0.5 ; +DROP ROLE role_ro28; +-- Should work. ALTER ROLE with IN DATABASE with ROLE +CREATE ROLE role_ro29; +ALTER ROLE role_ro29 IN DATABASE regression SET SEED = 0.5 ; +DROP ROLE role_ro29; +-- Should work. ALTER ROLE with IN DATABASE with ROLE ALL +BEGIN TRANSACTION; +ALTER ROLE ALL IN DATABASE regression SET SEED = 0.5 ; +ROLLBACK; +-- Should fail. ALTER ROLE with PASSWORD NULL +CREATE ROLE role_ro30; +ALTER ROLE role_ro30 PASSWORD NULL; +DROP ROLE role_ro30; +-- Should fail. ALTER ROLE with IN DATABASE with ROLE ALL without SUPERUSER +BEGIN TRANSACTION; +CREATE ROLE role_ro31; +SET ROLE role_ro31; +ALTER ROLE ALL IN DATABASE postgres SET SEED = 0.5 ; +ERROR: must be owner of database postgres +DROP ROLE role_ro31; +ERROR: current transaction is aborted, commands ignored until end of transaction block +ROLLBACK; +-- Should fail. ALTER ROLE with ROLE ALL without SUPERUSER +CREATE ROLE role_ro32; +SET ROLE role_ro32; +ALTER ROLE ALL SET SEED = 0.5 ; +ERROR: must be superuser to alter settings globally +RESET ROLE; +DROP ROLE role_ro32; +-- Should fail. DROP ROLE for current user +CREATE ROLE role_ro33 CREATEROLE; +SET ROLE role_ro33; +DROP ROLE role_ro33; +ERROR: current user cannot be dropped +RESET ROLE; +DROP ROLE role_ro33; +-- Should fail. DROP ROLE for session_user +CREATE ROLE role_ro34 SUPERUSER; +CREATE ROLE role_ro34a CREATEROLE; +SET SESSION AUTHORIZATION role_ro34; +SET ROLE role_ro34a; +DROP ROLE role_ro34; +ERROR: session user cannot be dropped +SET SESSION AUTHORIZATION DEFAULT; +DROP ROLE role_ro34; +DROP ROLE role_ro34a; +-- Should work. ALTER ROLE RENAME +CREATE ROLE role_ro37; +ALTER ROLE role_ro37 RENAME TO role_ro37a; +DROP ROLE role_ro37a; +-- Should fail. ALTER ROLE RENAME for non-existent role +ALTER ROLE asdf RENAME TO role_ro37b; +ERROR: role "asdf" does not exist +-- Should fail. ALTER ROLE RENAME for session_user not allowed +CREATE ROLE role_ro38; +SET SESSION AUTHORIZATION role_ro38; +ALTER ROLE role_ro38 RENAME TO role_ro38a; +ERROR: session user cannot be renamed +SET SESSION AUTHORIZATION DEFAULT; +DROP ROLE role_ro38; +-- Should fail. ALTER ROLE RENAME for current_user not allowed +CREATE ROLE role_ro39 CREATEROLE; +SET ROLE role_ro39; +ALTER ROLE role_ro39 RENAME TO role_ro39a; +ERROR: current user cannot be renamed +RESET ROLE; +DROP ROLE role_ro39; +-- Should fail. ALTER ROLE RENAME where target role already exists / reserved +CREATE ROLE role_ro40; +CREATE ROLE role_ro41; +ALTER ROLE role_ro40 RENAME TO role_ro41; +ERROR: role "role_ro41" already exists +ALTER ROLE role_ro40 RENAME TO public; +ERROR: role name "public" is reserved +ALTER ROLE role_ro40 RENAME TO none; +ERROR: role name "none" is reserved +DROP ROLE role_ro40; +DROP ROLE role_ro41; +-- Should fail. ALTER ROLE RENAME for superuser requires SUPERUSER permission +CREATE ROLE role_ro42 SUPERUSER; +CREATE ROLE role_ro43; +SET ROLE role_ro43; +ALTER ROLE role_ro42 RENAME TO role_ro42a; +ERROR: must be superuser to rename superusers +RESET ROLE; +DROP ROLE role_ro43; +DROP ROLE role_ro42; +-- Should fail. ALTER ROLE RENAME for non-superuser needs CREATEROLE permission +CREATE ROLE role_ro44; +CREATE ROLE role_ro45; +SET ROLE role_ro45; +ALTER ROLE role_ro44 RENAME TO role_ro44a; +ERROR: permission denied to rename role +RESET ROLE; +DROP ROLE role_ro45; +DROP ROLE role_ro44; +-- Should work. ALTER ROLE RENAME WITH ENCRYPTED PASSWORD should clear password +CREATE ROLE role_ro46 WITH ENCRYPTED PASSWORD 'abc'; +ALTER ROLE role_ro46 RENAME TO role_ro46a; +NOTICE: MD5 password cleared because of role rename +DROP ROLE role_ro46a; +-- Should fail. GRANT / REVOKE on SUPERUSER requires SUPERUSER permission +CREATE ROLE role_ro47 SUPERUSER; +CREATE ROLE role_ro47b; +CREATE ROLE role_ro48; +SET ROLE role_ro48; +GRANT role_ro47 TO role_ro47b; +ERROR: must be superuser to alter superusers +RESET ROLE; +ALTER ROLE role_ro48 CREATEROLE; +SET ROLE role_ro48; +GRANT role_ro47 TO role_ro47b; +ERROR: must be superuser to alter superusers +RESET ROLE; +ALTER ROLE role_ro48 SUPERUSER; +SET ROLE role_ro48; +GRANT role_ro47 TO role_ro47b; +REVOKE role_ro47 FROM role_ro47b; +RESET ROLE; +DROP ROLE role_ro47; +DROP ROLE role_ro47b; +DROP ROLE role_ro48; +-- Should fail. GRANT / REVOKE on another ROLE requires CREATEROLE / ADMIN +CREATE ROLE role_ro49; +CREATE ROLE role_ro50; +CREATE ROLE role_ro51; +SET ROLE role_ro49; +GRANT role_ro50 TO role_ro51; +ERROR: must have admin option on role "role_ro50" +RESET ROLE; +ALTER ROLE role_ro49 CREATEROLE; +SET ROLE role_ro49; +GRANT role_ro50 TO role_ro51; +REVOKE role_ro50 FROM role_ro51; +RESET ROLE; +GRANT role_ro49 to role_ro50 WITH ADMIN OPTION; +SET ROLE role_ro49; +GRANT role_ro50 TO role_ro51; +REVOKE role_ro50 FROM role_ro51; +RESET ROLE; +DROP ROLE role_ro51; +DROP ROLE role_ro50; +DROP ROLE role_ro49; +-- Should fail. GRANT a ROLE should avoid becoming its own member or do loops +CREATE ROLE role_ro52; +CREATE ROLE role_ro53; +GRANT role_ro52 TO role_ro52; +ERROR: role "role_ro52" is a member of role "role_ro52" +GRANT role_ro52 TO role_ro53; +GRANT role_ro53 TO role_ro52; +ERROR: role "role_ro53" is a member of role "role_ro52" +DROP ROLE role_ro52; +DROP ROLE role_ro53; +-- Should fail. REVOKE without membership should throw error +CREATE ROLE role_ro61; +CREATE ROLE role_ro62; +REVOKE role_ro62 FROM role_ro61; +WARNING: role "role_ro61" is not a member of role "role_ro62" +DROP ROLE role_ro62; +DROP ROLE role_ro61; +-- Should work. REVOKE a GRANT WITH ADMIN OPTION +CREATE ROLE role_ro63; +CREATE ROLE role_ro64; +GRANT role_ro64 TO role_ro63 WITH ADMIN OPTION; +REVOKE ADMIN OPTION FOR role_ro64 FROM role_ro63; +DROP ROLE role_ro63; +DROP ROLE role_ro64; diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule index 2af28b1..7360f8b 100644 --- a/src/test/regress/parallel_schedule +++ b/src/test/regress/parallel_schedule @@ -59,7 +59,7 @@ test: create_index create_view # ---------- # Another group of parallel tests # ---------- -test: create_aggregate create_function_3 create_cast constraints triggers inherit create_table_like typed_table vacuum drop_if_exists updatable_views +test: create_aggregate create_function_3 create_cast constraints triggers inherit create_table_like typed_table vacuum drop_if_exists updatable_views user # ---------- # sanity_check does a vacuum, affecting the sort order of SELECT * diff --git a/src/test/regress/sql/user.sql b/src/test/regress/sql/user.sql new file mode 100644 index 0000000..9ef8f9d --- /dev/null +++ b/src/test/regress/sql/user.sql @@ -0,0 +1,342 @@ +-- +-- USER (ROLE) +-- Regression tests to check for ROLE related operations +-- + +-- Should work. SET configuration during ALTER ROLE +CREATE ROLE role_ro1; +ALTER ROLE role_ro1 SET SEED=0.5; +DROP ROLE role_ro1; + +-- Should fail. Can't ALTER ROLE if it does not exist +ALTER ROLE asdf SUPERUSER; +ALTER ROLE asdf SET SEED=0.5; + +-- Should fail. Can't CREATE SUPERUSER if not self a SUPERUSER +CREATE ROLE role_ro2; +SET ROLE role_ro2; +CREATE ROLE role_ro3 SUPERUSER; +RESET ROLE; +DROP ROLE role_ro2; + +-- Should fail. Can't ALTER SUPERUSER if not self a SUPERUSER +CREATE ROLE role_ro2; +CREATE ROLE role_ro3; +SET ROLE role_ro2; +ALTER ROLE role_ro3 SUPERUSER; +RESET ROLE; +DROP ROLE role_ro3; +DROP ROLE role_ro2; + +-- Should fail. Can't ALTER ROLE into a SUPERUSER if not self a SUPERUSER +CREATE ROLE role_ro4; +CREATE ROLE role_ro5; +SET ROLE role_ro4; +ALTER ROLE role_ro5 SUPERUSER; +RESET ROLE; +DROP ROLE role_ro5; +DROP ROLE role_ro4; + +-- Should fail. Can't ALTER ROLE on existing SUPERUSER if not self a SUPERUSER +CREATE ROLE role_ro6 SUPERUSER; +CREATE ROLE role_ro7; +SET ROLE role_ro7; +ALTER ROLE role_ro6 NOSUPERUSER; +ALTER ROLE role_ro6 SET SEED=0.5; +RESET ROLE; +DROP ROLE role_ro7; +DROP ROLE role_ro6; + +-- Should fail. Can't ALTER another ROLE without CREATE ROLE privilege +CREATE ROLE role_ro7; +CREATE ROLE role_ro8; +SET ROLE role_ro8; +ALTER ROLE role_ro7 SET SEED = 0.5; +ALTER ROLE role_ro7 VALID UNTIL '2030/1/1'; +RESET ROLE; +DROP ROLE role_ro8; +DROP ROLE role_ro7; + +-- Should work. Do an ALTER ROLE SET on a database variable +CREATE ROLE role_ro9; +CREATE SCHEMA schema_ro9; +SET ROLE role_ro9; +ALTER ROLE role_ro9 SET search_path TO schema_ro9, public; +RESET ROLE; +DROP SCHEMA schema_ro9; +DROP ROLE role_ro9; + +-- Should fail. ALTER ROLE on valid DB entities but non-existent roles +CREATE SCHEMA schema_ro11; +ALTER ROLE schema_ro11 SET search_path TO schema_ro11, public; +DROP SCHEMA schema_ro11; + +-- Should fail. Can't ALTER ROLE on REPLICATION user if not self a SUPERUSER +CREATE ROLE role_ro12; +CREATE ROLE role_ro13 WITH REPLICATION; +SET ROLE role_ro12; +ALTER ROLE role_ro13 SET SEED = 0.5; +ALTER ROLE role_ro13 NOREPLICATION; +DROP ROLE role_ro13; +RESET ROLE; +DROP ROLE role_ro13; +DROP ROLE role_ro12; + +-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD +CREATE ROLE role_ro14; +ALTER ROLE role_ro14 WITH ENCRYPTED PASSWORD 'abc'; +DROP ROLE role_ro14; +CREATE ROLE role_ro15; +ALTER ROLE role_ro15 WITH UNENCRYPTED PASSWORD 'abc'; +DROP ROLE role_ro15; + +-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value +CREATE ROLE role_ro16; +ALTER ROLE role_ro16 WITH ENCRYPTED PASSWORD; +DROP ROLE role_ro16; +CREATE ROLE role_ro17; +ALTER ROLE role_ro17 WITH UNENCRYPTED PASSWORD; +DROP ROLE role_ro17; + +-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED +CREATE ROLE role_ro18; +ALTER ROLE role_ro18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc'; +DROP ROLE role_ro18; + +-- Should fail. ALTER ROLE with both INHERIT / NOINHERIT +CREATE ROLE role_ro19; +ALTER ROLE role_ro19 WITH INHERIT NOINHERIT; +DROP ROLE role_ro19; + +-- Should fail. ALTER ROLE with both CREATEDB / NOCREATEDB +CREATE ROLE role_ro20; +ALTER ROLE role_ro20 WITH CREATEDB NOCREATEDB; +DROP ROLE role_ro20; + +-- Should fail. ALTER ROLE with both LOGIN / NOLOGIN +CREATE ROLE role_ro21; +ALTER ROLE role_ro21 WITH LOGIN NOLOGIN; +DROP ROLE role_ro21; + +-- Should fail. ALTER ROLE with both CREATEROLE / NOCREATEROLE +CREATE ROLE role_ro22; +ALTER ROLE role_ro22 WITH CREATEROLE NOCREATEROLE; +DROP ROLE role_ro22; + +-- Should fail. ALTER ROLE with both REPLICATION / NOREPLICATION +CREATE ROLE role_ro23; +ALTER ROLE role_ro23 WITH REPLICATION NOREPLICATION; +DROP ROLE role_ro23; + +-- Should fail. ALTER ROLE with CONNECTION LIMIT 0 +CREATE ROLE role_ro24; +ALTER ROLE role_ro24 WITH CONNECTION LIMIT 0; +DROP ROLE role_ro24; + +-- Should fail. ALTER ROLE with VALID UNTIL without a value +CREATE ROLE role_ro25; +ALTER ROLE role_ro25 VALID UNTIL; +DROP ROLE role_ro25; + +-- Should fail. ALTER ROLE with invalid option +CREATE ROLE role_ro26; +ALTER ROLE role_ro26 ASDF; +DROP ROLE role_ro26; + +-- Should work. ALTER ROLE with valid values +CREATE ROLE role_ro27; +ALTER ROLE role_ro27 WITH VALID UNTIL '2030/1/1' INHERIT LOGIN REPLICATION + CREATEROLE CREATEDB SUPERUSER ENCRYPTED PASSWORD 'abc' CONNECTION LIMIT 5; +DROP ROLE role_ro27; + +-- Should work. ALTER ROLE with SET and valid values +CREATE ROLE role_ro28; +ALTER ROLE role_ro28 SET SEED = 0.5 ; +DROP ROLE role_ro28; + +-- Should work. ALTER ROLE with IN DATABASE with ROLE +CREATE ROLE role_ro29; +ALTER ROLE role_ro29 IN DATABASE regression SET SEED = 0.5 ; +DROP ROLE role_ro29; + +-- Should work. ALTER ROLE with IN DATABASE with ROLE ALL +BEGIN TRANSACTION; +ALTER ROLE ALL IN DATABASE regression SET SEED = 0.5 ; +ROLLBACK; + +-- Should fail. ALTER ROLE with PASSWORD NULL +CREATE ROLE role_ro30; +ALTER ROLE role_ro30 PASSWORD NULL; +DROP ROLE role_ro30; + +-- Should fail. ALTER ROLE with IN DATABASE with ROLE ALL without SUPERUSER +BEGIN TRANSACTION; +CREATE ROLE role_ro31; +SET ROLE role_ro31; +ALTER ROLE ALL IN DATABASE postgres SET SEED = 0.5 ; +DROP ROLE role_ro31; +ROLLBACK; + +-- Should fail. ALTER ROLE with ROLE ALL without SUPERUSER +CREATE ROLE role_ro32; +SET ROLE role_ro32; +ALTER ROLE ALL SET SEED = 0.5 ; +RESET ROLE; +DROP ROLE role_ro32; + +-- Should fail. DROP ROLE for current user +CREATE ROLE role_ro33 CREATEROLE; +SET ROLE role_ro33; +DROP ROLE role_ro33; +RESET ROLE; +DROP ROLE role_ro33; + +-- Should fail. DROP ROLE for session_user +CREATE ROLE role_ro34 SUPERUSER; +CREATE ROLE role_ro34a CREATEROLE; +SET SESSION AUTHORIZATION role_ro34; +SET ROLE role_ro34a; +DROP ROLE role_ro34; +SET SESSION AUTHORIZATION DEFAULT; +DROP ROLE role_ro34; +DROP ROLE role_ro34a; + +-- Should work. ALTER ROLE RENAME +CREATE ROLE role_ro37; +ALTER ROLE role_ro37 RENAME TO role_ro37a; +DROP ROLE role_ro37a; + +-- Should fail. ALTER ROLE RENAME for non-existent role +ALTER ROLE asdf RENAME TO role_ro37b; + +-- Should fail. ALTER ROLE RENAME for session_user not allowed +CREATE ROLE role_ro38; +SET SESSION AUTHORIZATION role_ro38; +ALTER ROLE role_ro38 RENAME TO role_ro38a; +SET SESSION AUTHORIZATION DEFAULT; +DROP ROLE role_ro38; + +-- Should fail. ALTER ROLE RENAME for current_user not allowed +CREATE ROLE role_ro39 CREATEROLE; +SET ROLE role_ro39; +ALTER ROLE role_ro39 RENAME TO role_ro39a; +RESET ROLE; +DROP ROLE role_ro39; + +-- Should fail. ALTER ROLE RENAME where target role already exists / reserved +CREATE ROLE role_ro40; +CREATE ROLE role_ro41; +ALTER ROLE role_ro40 RENAME TO role_ro41; +ALTER ROLE role_ro40 RENAME TO public; +ALTER ROLE role_ro40 RENAME TO none; +DROP ROLE role_ro40; +DROP ROLE role_ro41; + +-- Should fail. ALTER ROLE RENAME for superuser requires SUPERUSER permission +CREATE ROLE role_ro42 SUPERUSER; +CREATE ROLE role_ro43; +SET ROLE role_ro43; +ALTER ROLE role_ro42 RENAME TO role_ro42a; +RESET ROLE; +DROP ROLE role_ro43; +DROP ROLE role_ro42; + +-- Should fail. ALTER ROLE RENAME for non-superuser needs CREATEROLE permission +CREATE ROLE role_ro44; +CREATE ROLE role_ro45; +SET ROLE role_ro45; +ALTER ROLE role_ro44 RENAME TO role_ro44a; +RESET ROLE; +DROP ROLE role_ro45; +DROP ROLE role_ro44; + +-- Should work. ALTER ROLE RENAME WITH ENCRYPTED PASSWORD should clear password +CREATE ROLE role_ro46 WITH ENCRYPTED PASSWORD 'abc'; +ALTER ROLE role_ro46 RENAME TO role_ro46a; +DROP ROLE role_ro46a; + + +-- Should fail. GRANT / REVOKE on SUPERUSER requires SUPERUSER permission +CREATE ROLE role_ro47 SUPERUSER; +CREATE ROLE role_ro47b; +CREATE ROLE role_ro48; + +SET ROLE role_ro48; +GRANT role_ro47 TO role_ro47b; +RESET ROLE; + +ALTER ROLE role_ro48 CREATEROLE; + +SET ROLE role_ro48; +GRANT role_ro47 TO role_ro47b; +RESET ROLE; + +ALTER ROLE role_ro48 SUPERUSER; + +SET ROLE role_ro48; +GRANT role_ro47 TO role_ro47b; +REVOKE role_ro47 FROM role_ro47b; +RESET ROLE; + +DROP ROLE role_ro47; +DROP ROLE role_ro47b; +DROP ROLE role_ro48; + + + +-- Should fail. GRANT / REVOKE on another ROLE requires CREATEROLE / ADMIN +CREATE ROLE role_ro49; +CREATE ROLE role_ro50; +CREATE ROLE role_ro51; + +SET ROLE role_ro49; +GRANT role_ro50 TO role_ro51; +RESET ROLE; + +ALTER ROLE role_ro49 CREATEROLE; + +SET ROLE role_ro49; +GRANT role_ro50 TO role_ro51; +REVOKE role_ro50 FROM role_ro51; +RESET ROLE; + +GRANT role_ro49 to role_ro50 WITH ADMIN OPTION; + +SET ROLE role_ro49; +GRANT role_ro50 TO role_ro51; +REVOKE role_ro50 FROM role_ro51; +RESET ROLE; + +DROP ROLE role_ro51; +DROP ROLE role_ro50; +DROP ROLE role_ro49; + + + +-- Should fail. GRANT a ROLE should avoid becoming its own member or do loops +CREATE ROLE role_ro52; +CREATE ROLE role_ro53; +GRANT role_ro52 TO role_ro52; +GRANT role_ro52 TO role_ro53; +GRANT role_ro53 TO role_ro52; +DROP ROLE role_ro52; +DROP ROLE role_ro53; + + +-- Should fail. REVOKE without membership should throw error +CREATE ROLE role_ro61; +CREATE ROLE role_ro62; +REVOKE role_ro62 FROM role_ro61; +DROP ROLE role_ro62; +DROP ROLE role_ro61; + + +-- Should work. REVOKE a GRANT WITH ADMIN OPTION +CREATE ROLE role_ro63; +CREATE ROLE role_ro64; +GRANT role_ro64 TO role_ro63 WITH ADMIN OPTION; +REVOKE ADMIN OPTION FOR role_ro64 FROM role_ro63; +DROP ROLE role_ro63; +DROP ROLE role_ro64; + + -- 1.7.10.4