Initial commit — VPD Permission POC (clone-and-go)

ADB-centered row-level access control across heterogeneous DB sources
(AWS RDS Postgres + MySQL) using Oracle VPD + Data Redaction +
Secure Application Context, packaged as a one-click demo.

Mechanism:
- LOGON trigger calls ctx_pkg.init once per session to load the user's
  allowed regions from the permission mapping tables into a Secure App
  Context (VPD_CTX, USING ctx_pkg).
- VPD policy function vpd_region_filter reads SYS_CONTEXT and returns
  an IN-list predicate (or '1=0' for fail-closed, NULL for '*'),
  which Oracle injects into every SELECT on the protected views.
- Data Redaction reuses the same context to mask PII (email, full_name)
  when the allowed-regions value is not '*'.
- 5 documented bypass attempts (direct DB link SELECT, SET_CONTEXT
  spoof, DBMS_RLS drop, mapping table SELECT) all blocked by GRANT
  scoping + DEFINER rights on ctx_pkg.

One-click entrypoint:
- ./run.sh {prereq|source|adb|tests|audit|all|teardown}
- Source DDL (Postgres + MySQL customers + 12-row seed each) is
  applied via local psql/mysql; ADB-side setup via sqlplus with .env
  values injected as SQL*Plus DEFINE substitutions.

Verified E2E on ADB 26ai + AWS RDS PG + RDS MySQL (mysql_community
gateway) on 2026-05-26: VPDUSER_A sees only APAC rows (PG 2 / MySQL 6,
PII masked), VPDUSER_B sees all (PG 12 / MySQL 17, PII unmasked).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

sql/adb/06_policy.sql

@@ -0,0 +1,84 @@
+-- ============================================================
+-- 05_policy.sql
+-- VPD policy function + DBMS_RLS.ADD_POLICY attachments.
+--
+-- The function returns a row-filter predicate based on the
+-- secure context loaded at logon. If no permission is loaded for
+-- this object, it returns an impossible predicate so the user
+-- sees ZERO rows (fail closed).
+-- ============================================================
+SET ECHO OFF
+SET FEEDBACK ON
+
+PROMPT === Creating policy function vpd_region_filter ===
+CREATE OR REPLACE FUNCTION vpd_region_filter(
+  p_schema IN VARCHAR2,
+  p_object IN VARCHAR2
+) RETURN VARCHAR2 AS
+  v_regions VARCHAR2(4000);
+  v_pred    VARCHAR2(4000);
+  v_list    VARCHAR2(4000);
+BEGIN
+  -- Read the CSV of allowed regions for this object from secure context.
+  v_regions := SYS_CONTEXT('VPD_CTX', UPPER(p_object));
+
+  IF v_regions IS NULL THEN
+    -- Fail closed: no entry => no rows visible.
+    RETURN '1=0';
+  END IF;
+
+  IF INSTR(v_regions, '*') > 0 THEN
+    -- Wildcard => no row filter (full visibility on this object).
+    RETURN NULL;
+  END IF;
+
+  -- Convert CSV 'KR,APAC' -> "'KR','APAC'" for an IN-list.
+  -- (Region values come only from our own permission table, so quoting
+  --  by escaping single quotes is sufficient; no untrusted user input.)
+  SELECT LISTAGG('''' || REPLACE(TRIM(column_value),'''','''''') || '''', ',')
+         WITHIN GROUP (ORDER BY column_value)
+  INTO   v_list
+  FROM   TABLE(APEX_STRING.SPLIT(v_regions, ','));
+
+  IF v_list IS NULL THEN
+    RETURN '1=0';
+  END IF;
+
+  v_pred := 'region IN (' || v_list || ')';
+  RETURN v_pred;
+END;
+/
+
+SHOW ERRORS
+
+PROMPT === Attaching policies to views ===
+BEGIN
+  DBMS_RLS.ADD_POLICY(
+    object_schema   => USER,
+    object_name     => 'V_CUSTOMERS_PG',
+    policy_name     => 'CUSTOMERS_PG_POLICY',
+    function_schema => USER,
+    policy_function => 'VPD_REGION_FILTER',
+    statement_types => 'SELECT',
+    update_check    => FALSE,
+    enable          => TRUE
+  );
+END;
+/
+
+BEGIN
+  DBMS_RLS.ADD_POLICY(
+    object_schema   => USER,
+    object_name     => 'V_CUSTOMERS_MY',
+    policy_name     => 'CUSTOMERS_MY_POLICY',
+    function_schema => USER,
+    policy_function => 'VPD_REGION_FILTER',
+    statement_types => 'SELECT',
+    update_check    => FALSE,
+    enable          => TRUE
+  );
+END;
+/
+
+PROMPT === Policies attached ===
+EXIT;