Initial commit — VPD Permission POC (clone-and-go)

ADB-centered row-level access control across heterogeneous DB sources
(AWS RDS Postgres + MySQL) using Oracle VPD + Data Redaction +
Secure Application Context, packaged as a one-click demo.

Mechanism:
- LOGON trigger calls ctx_pkg.init once per session to load the user's
  allowed regions from the permission mapping tables into a Secure App
  Context (VPD_CTX, USING ctx_pkg).
- VPD policy function vpd_region_filter reads SYS_CONTEXT and returns
  an IN-list predicate (or '1=0' for fail-closed, NULL for '*'),
  which Oracle injects into every SELECT on the protected views.
- Data Redaction reuses the same context to mask PII (email, full_name)
  when the allowed-regions value is not '*'.
- 5 documented bypass attempts (direct DB link SELECT, SET_CONTEXT
  spoof, DBMS_RLS drop, mapping table SELECT) all blocked by GRANT
  scoping + DEFINER rights on ctx_pkg.

One-click entrypoint:
- ./run.sh {prereq|source|adb|tests|audit|all|teardown}
- Source DDL (Postgres + MySQL customers + 12-row seed each) is
  applied via local psql/mysql; ADB-side setup via sqlplus with .env
  values injected as SQL*Plus DEFINE substitutions.

Verified E2E on ADB 26ai + AWS RDS PG + RDS MySQL (mysql_community
gateway) on 2026-05-26: VPDUSER_A sees only APAC rows (PG 2 / MySQL 6,
PII masked), VPDUSER_B sees all (PG 12 / MySQL 17, PII unmasked).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

sql/adb/04_secure_ctx.sql

@@ -0,0 +1,70 @@
+-- ============================================================
+-- 03_secure_ctx.sql
+-- Secure application context. ONLY ctx_pkg can SET vpd_ctx.*
+-- End-users cannot spoof their identity / region list.
+--
+-- The package is AUTHID DEFINER so it can read permission tables
+-- without granting end-users direct SELECT on those tables.
+-- It uses SYS_CONTEXT('USERENV','SESSION_USER') to identify the
+-- *invoker*, so even if an end-user calls it directly they only
+-- ever load their OWN permissions.
+-- ============================================================
+SET ECHO OFF
+SET FEEDBACK ON
+
+PROMPT === Creating context package spec ===
+CREATE OR REPLACE PACKAGE ctx_pkg AUTHID DEFINER AS
+  -- Called from the LOGON trigger (or manually).
+  -- Loads the connecting user's allowed regions per object into vpd_ctx.
+  PROCEDURE init;
+END ctx_pkg;
+/
+
+PROMPT === Creating context package body ===
+CREATE OR REPLACE PACKAGE BODY ctx_pkg AS
+  PROCEDURE init IS
+    v_user app_user.db_username%TYPE := SYS_CONTEXT('USERENV','SESSION_USER');
+    v_uid  app_user.user_id%TYPE;
+  BEGIN
+    -- Look up app_user by Oracle session username (always uppercased).
+    BEGIN
+      SELECT user_id INTO v_uid
+      FROM   app_user
+      WHERE  db_username = v_user
+      AND    active = 'Y';
+    EXCEPTION WHEN NO_DATA_FOUND THEN
+      -- Not an app user; leave context empty -> policy will return impossible predicate.
+      RETURN;
+    END;
+
+    -- For each object the user has permission on, aggregate allowed_regions
+    -- across all groups the user belongs to.
+    --   '*' wins over any specific list.
+    FOR r IN (
+      SELECT p.object_name,
+             CASE WHEN MAX(CASE WHEN p.allowed_regions='*' THEN 1 ELSE 0 END) = 1
+                  THEN '*'
+                  ELSE LISTAGG(p.allowed_regions, ',') WITHIN GROUP (ORDER BY p.allowed_regions)
+             END AS regions
+      FROM   permission p
+      JOIN   user_group ug ON ug.group_id = p.group_id
+      WHERE  ug.user_id = v_uid
+      GROUP  BY p.object_name
+    ) LOOP
+      -- Attribute name = object name (e.g. V_CUSTOMERS_PG), value = CSV of regions.
+      DBMS_SESSION.SET_CONTEXT('VPD_CTX', r.object_name, r.regions);
+    END LOOP;
+
+    -- Also store the user_id for auditing / future use.
+    DBMS_SESSION.SET_CONTEXT('VPD_CTX', 'USER_ID', TO_CHAR(v_uid));
+  END init;
+END ctx_pkg;
+/
+
+PROMPT === Binding secure context to ctx_pkg ===
+-- This is the critical line: only code running INSIDE admin.ctx_pkg
+-- can call DBMS_SESSION.SET_CONTEXT on the VPD_CTX namespace.
+CREATE OR REPLACE CONTEXT vpd_ctx USING ctx_pkg;
+
+PROMPT === Secure context ready ===
+EXIT;