Initial commit — VPD Permission POC (clone-and-go)

ADB-centered row-level access control across heterogeneous DB sources (AWS RDS Postgres + MySQL) using Oracle VPD + Data Redaction + Secure Application Context, packaged as a one-click demo. Mechanism: - LOGON trigger calls ctx_pkg.init once per session to load the user's allowed regions from the permission mapping tables into a Secure App Context (VPD_CTX, USING ctx_pkg). - VPD policy function vpd_region_filter reads SYS_CONTEXT and returns an IN-list predicate (or '1=0' for fail-closed, NULL for '*'), which Oracle injects into every SELECT on the protected views. - Data Redaction reuses the same context to mask PII (email, full_name) when the allowed-regions value is not '*'. - 5 documented bypass attempts (direct DB link SELECT, SET_CONTEXT spoof, DBMS_RLS drop, mapping table SELECT) all blocked by GRANT scoping + DEFINER rights on ctx_pkg. One-click entrypoint: - ./run.sh {prereq|source|adb|tests|audit|all|teardown} - Source DDL (Postgres + MySQL customers + 12-row seed each) is applied via local psql/mysql; ADB-side setup via sqlplus with .env values injected as SQL*Plus DEFINE substitutions. Verified E2E on ADB 26ai + AWS RDS PG + RDS MySQL (mysql_community gateway) on 2026-05-26: VPDUSER_A sees only APAC rows (PG 2 / MySQL 6, PII masked), VPDUSER_B sees all (PG 12 / MySQL 17, PII unmasked). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-26 14:03:32 +09:00
commit 68d53dc5a9
23 changed files with 2396 additions and 0 deletions
--- a/scripts/lib/common.sh
+++ b/scripts/lib/common.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# 공용 함수 — log/ok/warn/die, 의존성 검사, 비밀번호 프롬프트
+# scripts/lib/common.sh
+
+RED='\033[0;31m'
+GRN='\033[0;32m'
+YLW='\033[0;33m'
+BLU='\033[0;34m'
+NC='\033[0m'
+
+log()  { printf "${BLU}[%s]${NC} %s\n" "$(date +%H:%M:%S)" "$*" >&2; }
+ok()   { printf "${GRN}[ OK ]${NC} %s\n" "$*" >&2; }
+warn() { printf "${YLW}[WARN]${NC} %s\n" "$*" >&2; }
+die()  { printf "${RED}[FAIL]${NC} %s\n" "$*" >&2; exit 1; }
+
+need_cmd() {
+  command -v "$1" >/dev/null 2>&1 || die "필수 명령 누락: $1 ($2)"
+}
+
+require_env() {
+  local missing=()
+  for v in "$@"; do
+    [[ -z "${!v:-}" ]] && missing+=("$v")
+  done
+  if (( ${#missing[@]} > 0 )); then
+    die ".env 누락 변수: ${missing[*]}"
+  fi
+}
+
+prompt_password_if_empty() {
+  # prompt_password_if_empty VAR_NAME "사람이 읽을 라벨"
+  local var="$1" label="$2"
+  if [[ -z "${!var:-}" ]]; then
+    printf "%s 비밀번호: " "$label" >&2
+    read -rs pw
+    echo >&2
+    [[ -n "$pw" ]] || die "$label 비밀번호가 비어있습니다"
+    export "$var=$pw"
+  fi
+}