joungmin/vpd-permission-poc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Pivot scenario from region-based 2 users to source-based 4 users

Browse Source 
Replaces the original APAC-vs-all 2-user demo (vpduser_a/b on
KR_ANALYSTS/GLOBAL_ADMINS groups) with a 2x2 source-access matrix:

  vpduser_my    -> MY_ONLY      group  -> MySQL view only
  vpduser_pg    -> PG_ONLY      group  -> Postgres view only
  vpduser_both  -> BOTH_SOURCES group  -> both views
  vpduser_none  -> (no group)          -> nothing (default deny)

Why: source-level segmentation is the more common production
permission story than region-level filtering. Region filtering
remains available as an opt-in variant via commented UPDATE in
sql/adb/03_seed.sql.

Key changes:
- 03_seed.sql, 07_end_users.sql, 00_cleanup.sql, .env.example,
  run.sh updated for the new 4-user model. All 4 users get
  identical view GRANTs; the only differentiator is the
  permission table (proves the model is "data-driven, not
  GRANT-driven").
- 08-11 split into one file per user: my (+ 5 bypass attempts),
  pg, both, none (default-deny verification).
- 12_tests_admin_audit.sql uses LEFT JOIN so vpduser_none shows
  up as NULL permissions, and filters by object_owner=USER to
  exclude cross-schema policies.
- Removed inline "-- comment" after ";" lines in 03_seed.sql:
  SQL*Plus silently skipped the inserts (documented gotcha).
- README.md + docs/01,02 updated for the 4-user matrix. docs/03
  detailed guide keeps the region-filter example but now has a
  preface explaining it's a variant of the default 4-user model.
- docs/04: db_type='mysql_community' note added (RDS MySQL).

E2E verified: PG=0/MY=17, PG=12/MY=0, PG=12/MY=17, PG=0/MY=0
plus all 5 bypass attempts blocked.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
devmrko
2026-05-26 14:42:11 +09:00
parent 68d53dc5a9
commit ed91306ee3
17 changed files with 424 additions and 191 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.env.example
View File

@@ -22,8 +22,15 @@ export ADB_PASSWORD="" # 비워두면
# --- (3) 데모용 ADB 엔드유저 비밀번호 (sql/adb/07_end_users.sql 에서 사용) ---
# ADB 비번 정책: 12자 이상, 대/소/숫자/특수 조합.
export VPDUSER_A_PASSWORD="RowFilter#A2026"
export VPDUSER_B_PASSWORD="RowFilter#B2026"
# 4명의 데모 유저:
# vpduser_my → MySQL view 만 SELECT 가능
# vpduser_pg → Postgres view 만 SELECT 가능
# vpduser_both → 양쪽 view 모두 SELECT 가능
# vpduser_none → 양쪽 view 모두 fail-closed (0 rows)
export VPDUSER_MY_PASSWORD="RowFilter#My2026"
export VPDUSER_PG_PASSWORD="RowFilter#Pg2026"
export VPDUSER_BOTH_PASSWORD="RowFilter#Both26"
export VPDUSER_NONE_PASSWORD="RowFilter#None26"
# --- (4) 원격 Postgres (AWS RDS, Cloud SQL, ...) ---
# sql/source/postgres_setup.sql 가 여기로 customers 테이블/seed 생성.

48
README.md
View File

@@ -21,7 +21,7 @@ End-to-End 데모입니다.
| ADB - 컨텍스트 | `vpd_ctx` (Secure Application Context) + `ctx_pkg` | 로그인 시 권한을 세션 컨텍스트로 로딩 |
| ADB - 뷰 | `v_customers_pg`, `v_customers_my` | DB Link 위의 통합 뷰. **이 뷰에만 VPD/Redaction 정책이 붙음** |
| ADB - 정책 | `CUSTOMERS_PG_POLICY`, `CUSTOMERS_MY_POLICY`, `PII_REDACT_PG/MY` | VPD 행 필터 + 이메일 마스킹 |
| ADB - 엔드유저 | `vpduser_a`, `vpduser_b` | 최소 권한. 뷰만 SELECT 가능. LOGON 트리거로 컨텍스트 자동 로딩 |
| ADB - 엔드유저 | `vpduser_my`, `vpduser_pg`, `vpduser_both`, `vpduser_none` | 최소 권한. 뷰만 SELECT 가능. LOGON 트리거로 컨텍스트 자동 로딩 |
---
@@ -44,7 +44,7 @@ $EDITOR .env
1. **prereq**`sqlplus`, `psql`, `mysql` 존재 + `.env` 변수 검증
2. **source** — 원격 PG/MySQL 에 `customers` 테이블 + seed (멱등)
3. **adb** — ADB 측 cleanup → DB Link → 권한 테이블/seed → context/view/policy → 엔드유저
4. **tests**`vpduser_a``vpduser_b` 로 접속해 행 필터/마스킹 검증
4. **tests**4 명 (`vpduser_my`/`vpduser_pg`/`vpduser_both`/`vpduser_none`) 로 접속해 행 필터/마스킹/default-deny 검증
5. **audit** — ADMIN 으로 정책/뷰/유저 상태 점검
세부 단계만 따로 돌리려면:
@@ -73,23 +73,33 @@ $EDITOR .env
---
## 데모 시나리오
## 데모 시나리오 — 2×2 source access matrix
`sql/adb/03_seed.sql` 의 매핑:
`sql/adb/03_seed.sql` 의 매핑 (4 유저, 4 케이스):
| DB 유저 | 그룹 | 볼 수 있는 region |
|---|---|---|
| `vpduser_a` | `KR_ANALYSTS` | `APAC` |
| `vpduser_b` | `GLOBAL_ADMINS` | `*` (전체) |
| DB 유저 | 그룹 | PG 뷰 | MySQL 뷰 | VPD 결과 |
|---|---|---|---|---|
| `vpduser_my` | `MY_ONLY` | ✗ 0 rows | ✓ ALL | PG=`1=0` / MY=`NULL` |
| `vpduser_pg` | `PG_ONLY` | ✓ ALL | ✗ 0 rows | PG=`NULL` / MY=`1=0` |
| `vpduser_both` | `BOTH_SOURCES` | ✓ ALL | ✓ ALL | PG=`NULL` / MY=`NULL` |
| `vpduser_none` | (그룹 없음) | ✗ 0 rows | ✗ 0 rows | PG=`1=0` / MY=`1=0` (default deny) |
따라서:
핵심 포인트:
* `vpduser_a``SELECT * FROM admin.v_customers_pg` → APAC rows 만, 이메일 마스킹됨
* `vpduser_b` 로 같은 쿼리 → 전체 rows, 이메일 원본
* 누구든 원본 테이블 직접 접근 시도 (`@RDS_POSTGRES_LINK` 등) → 권한 없음
* 네 유저 모두 **양쪽 뷰에 SELECT GRANT 는 동일하게 주어집니다.** 차이를 만드는 건
GRANT 가 아니라 `permission` 테이블의 행. 즉 **권한 회수 = GRANT 해제가 아니라
permission row 삭제**.
* `vpduser_none` 처럼 매핑이 아예 없는 유저는 자동으로 fail-closed
(`1=0` predicate) — **deny by default**.
* 누구든 원본 테이블 직접 접근 시도 (`@RDS_POSTGRES_LINK` 등) → 권한 없음.
`sql/adb/08_tests_user_a.sql` 가 우회 시도 5개 (DBMS_RLS 변경, 다른 유저 컨텍스트
설정 등) 를 시도하고 모두 ORA-xxxxx 로 실패하는 것을 보여줍니다.
`sql/adb/08_tests_user_my.sql` 가 우회 시도 5개 (원격 직접 SELECT, 컨텍스트
스푸핑, DBMS_RLS 변경, 매핑 테이블 SELECT) 를 시도하고 모두 ORA-xxxxx 로 실패하는 것을
보여줍니다. 09/10/11 은 각 유저의 expected 행 수를 가볍게 확인합니다.
> Row-level region 필터링 (예: `vpduser_both` 가 PG 는 APAC 만) 도 정책 함수에
> 그대로 살아있습니다. `03_seed.sql` 하단의 주석 처리된 `UPDATE permission ...
> allowed_regions='APAC'` 한 줄이면 활성화됩니다.
---
@@ -113,10 +123,12 @@ $EDITOR .env
│ ├── 05_views.sql # DB Link 통합 뷰
│ ├── 06_policy.sql # VPD 정책 + 정책 함수
│ ├── 06a_redaction.sql # Data Redaction (이메일 마스킹)
│ ├── 07_end_users.sql # vpduser_a/b + LOGON 트리거
│ ├── 08_tests_user_a.sql # APAC-only 검증 + 우회 시도
│ ├── 09_tests_user_b.sql # GLOBAL_ADMIN 검증
── 10_tests_admin_audit.sql
│ ├── 07_end_users.sql # 4 유저 + LOGON 트리거
│ ├── 08_tests_user_my.sql # MY only 우회 시도 5종 포함
│ ├── 09_tests_user_pg.sql # PG only
── 10_tests_user_both.sql # both
│ ├── 11_tests_user_none.sql # default deny (fail-closed) 검증
│ └── 12_tests_admin_audit.sql
└── docs/
└── 03-detailed-guide.md # 한국어 상세 설명 (아키텍처, 정책 로직, 운영 고려사항)
```

18
docs/01-quickstart.md
View File

@@ -53,8 +53,8 @@ $EDITOR .env
| `PG_HOST` 등 | 원격 Postgres 연결정보 |
| `MY_HOST` 등 | 원격 MySQL 연결정보 |
VPDUSER A/B 의 패스워드는 데모용 기본값이 들어있으니 그대로 써도 무방하지만,
공유 환경이면 바꿔주세요.
VPDUSER (`my` / `pg` / `both` / `none`) 의 패스워드는 데모용 기본값이 들어있으니 그대로
써도 무방하지만, 공유 환경이면 바꿔주세요.
---
@@ -71,7 +71,7 @@ VPDUSER A/B 의 패스워드는 데모용 기본값이 들어있으니 그대로
[ OK ] Postgres source 준비 완료
[ OK ] MySQL source 준비 완료
[ OK ] ADB setup 완료
[ OK ] user_a / user_b 테스트 실행 완료 (위 출력에서 행 수 / 거부 결과 확인)
[ OK ] 4명 (MY / PG / BOTH / NONE) 테스트 실행 완료 (위 출력에서 행 수 / 거부 결과 확인)
[ OK ] audit 완료
[ OK ] === ALL DONE — VPD POC 전체 파이프라인 통과 ===
```
@@ -79,9 +79,15 @@ VPDUSER A/B 의 패스워드는 데모용 기본값이 들어있으니 그대로
이후 직접 검증해보고 싶으면:
```bash
# vpduser_a 로 접속 → APAC rows 만 보여야 함
sqlplus vpduser_a/${VPDUSER_A_PASSWORD}@${ADB_TNS}
SQL> SELECT region, COUNT(*) FROM admin.v_customers_pg GROUP BY region;
# vpduser_pg 로 접속 → PG 뷰는 전부 보이고 MY 뷰는 0 rows 여야 함
sqlplus vpduser_pg/${VPDUSER_PG_PASSWORD}@${ADB_TNS}
SQL> SELECT COUNT(*) FROM admin.v_customers_pg; -- 12
SQL> SELECT COUNT(*) FROM admin.v_customers_my; -- 0
# vpduser_none 으로 접속 → 양쪽 뷰 모두 0 rows (default deny)
sqlplus vpduser_none/${VPDUSER_NONE_PASSWORD}@${ADB_TNS}
SQL> SELECT COUNT(*) FROM admin.v_customers_pg; -- 0
SQL> SELECT COUNT(*) FROM admin.v_customers_my; -- 0
```
---

11
docs/02-architecture.md
View File

@@ -43,7 +43,8 @@ LOGON 시 한 번만 읽으므로 쿼리 부하 0.
```
+---------------------+
| vpduser_a / b | ← 사용자 로그인
| vpduser_my / pg / | ← 사용자 로그인
| both / none |
+----------+----------+
|
(1) LOGON 트리거
@@ -88,7 +89,7 @@ LOGON 시 한 번만 읽으므로 쿼리 부하 0.
|---|---|
| `app_customer` | 도메인의 "고객사" 개념 (멀티 테넌트 hook) |
| `app_user` | DB 유저 → 도메인 유저 매핑 (`db_username` 컬럼이 핵심) |
| `app_group` | 그룹 (KR_ANALYSTS, GLOBAL_ADMINS, ...) |
| `app_group` | 그룹 (MY_ONLY, PG_ONLY, BOTH_SOURCES, ...) |
| `user_group` | user ↔ group N:N |
| `db_source` | 원본 소스 식별자 (PG, MY) |
| `permission` | (group, source, region) 행 — `region='*'` 이면 전체 허용 |
@@ -112,7 +113,7 @@ LOGON 시 한 번만 읽으므로 쿼리 부하 0.
4. 그 외 → `RETURN 'region IN (''APAC'',''EMEA'')'` 형식으로 in-list
→ 컨텍스트는 **Secure Application Context** (`USING ctx_pkg`) 라 다른 패키지에서
설정 불가. `vpduser_a` `DBMS_SESSION.SET_CONTEXT('VPD_CTX', ...)` 직접 호출 →
설정 불가. 엔드유저`DBMS_SESSION.SET_CONTEXT('VPD_CTX', ...)` 직접 호출 →
ORA-01031.
---
@@ -134,8 +135,8 @@ ORA-01031.
| 누가 | 무엇을 할 수 있나 |
|---|---|
| `ADMIN` (ADB 관리자) | 전부 다. 정책 BYPASS. **운영에선 절대 일반 사용자에게 주지 말 것** |
| `vpduser_a/b` | (a) 자기에게 GRANT 된 뷰 SELECT, (b) `ctx_pkg.init` 호출 |
| `vpduser_a/b`**못** 하는 것 | DBMS_RLS 변경, EXEMPT ACCESS POLICY, CREATE TABLE (스냅샷 방지), 매핑 테이블 직접 SELECT, DB Link 직접 SELECT |
| `vpduser_*` (my/pg/both/none) | (a) 자기에게 GRANT 된 뷰 SELECT, (b) `ctx_pkg.init` 호출 |
| `vpduser_*`**못** 하는 것 | DBMS_RLS 변경, EXEMPT ACCESS POLICY, CREATE TABLE (스냅샷 방지), 매핑 테이블 직접 SELECT, DB Link 직접 SELECT |
→ 즉 엔드유저 입장에서 정책을 우회할 표면이 없습니다. `07_end_users.sql`
주석에서 "what we are deliberately NOT granting" 섹션이 그 목록.

88
docs/03-detailed-guide.md
View File

@@ -3,6 +3,13 @@
> **이 문서의 대상 독자:** 데이터베이스 보안이나 Oracle 기술에 익숙하지 않은 분.
> 용어가 나올 때마다 풀어서 설명하고, 왜 그 장치가 필요한지를 함께 적습니다.
> **시나리오 안내:** 현재 `./run.sh` 가 자동으로 깔아주는 기본 시나리오는 4명의
> 엔드유저 (`vpduser_my`/`pg`/`both`/`none`) 가 각각 다른 소스에 접근 가능한 **소스
> 단위 매트릭스** 입니다 (README 참고). 본 상세 가이드는 그 위에 얹을 수 있는 **행
> 단위 region 필터링** 변형(`KR_ANALYSTS → APAC`, `GLOBAL_ADMINS → '*'`) 을 예시로
> 사용합니다 — VPD 메커니즘 자체는 동일하므로 개념 이해에는 차이가 없습니다.
> region 필터를 실제로 켜려면 `sql/adb/03_seed.sql` 하단의 주석을 해제하세요.
---
## 목차
@@ -470,24 +477,35 @@ AUDIT POLICY vpd_view_access;
## 9. 디렉터리·파일 구조
```
ords/
├── .env ← ADB 연결 정보 (비밀번호 포함, .gitignore 됨)
├── .gitignore ← .env, *.log 제외
├── README.md ← (선택) 실행 가이드
├── run_poc.sh ← 셋업/테스트/감사 일괄 실행 스크립트
vpd-permission-poc/
├── .env ← ADB + RDS 연결 정보 (.gitignore 됨)
├── .env.example
├── README.md ← 클론-앤-고 가이드
├── run.sh ← 원클릭 오케스트레이터
├── scripts/lib/common.sh
├── sql/
│ ├── 00_cleanup.sql ← 초기화 (멱등성)
│ ├── 01_perm_tables.sql 권한 모델 6개 테이블 생성
├── 02_seed.sql ← 데모 데이터 주입
── 03_secure_ctx.sql ← ctx_pkg + Secure Context 생성
│ ├── 04_views.sql ← 외부 테이블에 대한 로컬 뷰 2개
│ ├── 05_policy.sql ← VPD 정책 함수 + ADD_POLICY
│ ├── 06_end_users.sql ← 일반 사용자 2명 + LOGON 트리거
│ ├── 07_tests_user_a.sql ← VPDUSER_A 입장에서 검증
│ ├── 08_tests_user_b.sql ← VPDUSER_B 입장에서 검증
└── 09_tests_admin_audit.sql ← ADMIN 입장에서 정책·권한 현황 감사
│ ├── source/
│ ├── postgres_setup.sql ← 원격 PG: customers + 12 rows
│ └── mysql_setup.sql ← 원격 MySQL: customers + 12 rows
── adb/
├── 00_cleanup.sql ← 멱등 초기화
├── 01_dblinks.sql ← DB Link + credential
├── 02_perm_tables.sql ← 권한 매핑 6개 테이블
├── 03_seed.sql ← 4-user 매트릭스 시드
├── 04_secure_ctx.sql ctx_pkg + Secure Context
├── 05_views.sql ← DB Link 통합 뷰
│ ├── 06_policy.sql ← VPD 정책 + 정책 함수
│ ├── 06a_redaction.sql ← Data Redaction (이메일/이름 마스킹)
│ ├── 07_end_users.sql ← 4 유저 + LOGON 트리거
│ ├── 08_tests_user_my.sql ← MY only + 우회 시도 5종
│ ├── 09_tests_user_pg.sql ← PG only
│ ├── 10_tests_user_both.sql ← both
│ ├── 11_tests_user_none.sql ← default deny 검증
│ └── 12_tests_admin_audit.sql
└── docs/
── 설명.md ← (이 문서)
── 01-quickstart.md
├── 02-architecture.md
└── 03-detailed-guide.md ← (이 문서)
```
---
@@ -495,18 +513,18 @@ ords/
## 10. 실행 방법
```bash
cd /Users/joungminko/devkit/ords
cd vpd-permission-poc
# 1) 전체 셋업 + 테스트 + 감사 한 번에
./run_poc.sh all
# 1) 전체 파이프라인 한 번에
./run.sh # = ./run.sh all
# 또는 단계별로:
./run_poc.sh setup # 정리 + 모든 객체 생성
./run_poc.sh test # VPDUSER_A, VPDUSER_B 시점 테스트
./run_poc.sh audit # ADMIN 시점 정책·권한 감사
./run_poc.sh teardown # 전부 삭제
# .env 파일이 있어야 합니다. (이 POC 에는 포함됨)
./run.sh prereq # 도구/.env 검증
./run.sh source # 원격 PG + MySQL 에 customers 테이블/seed
./run.sh adb # ADB 측 cleanup → dblink → 권한/뷰/정책 → 4 유저
./run.sh tests # 4 명 (MY/PG/BOTH/NONE) 시점 테스트
./run.sh audit # ADMIN 시점 정책·권한 감사
./run.sh teardown # ADB 측 객체 + dblink 정리
```
### 사람의 눈으로 직접 확인하고 싶을 때
@@ -514,15 +532,21 @@ cd /Users/joungminko/devkit/ords
```bash
source .env
# VPDUSER_A로 직접 들어가서 쿼리해보기:
sqlplus "vpduser_a/\"RowFilter#A2026\"@$ADB_TNS"
# 기본 시나리오 — vpduser_pg: PG 뷰는 다 보이고 MySQL 뷰는 0 rows
sqlplus "vpduser_pg/\"${VPDUSER_PG_PASSWORD}\"@$ADB_TNS"
SQL> SELECT COUNT(*) FROM admin.v_customers_pg; -- 12
SQL> SELECT COUNT(*) FROM admin.v_customers_my; -- 0
# vpduser_none — default deny
sqlplus "vpduser_none/\"${VPDUSER_NONE_PASSWORD}\"@$ADB_TNS"
SQL> SELECT COUNT(*) FROM admin.v_customers_pg; -- 0
SQL> SELECT COUNT(*) FROM admin.v_customers_my; -- 0
# region 필터 변형을 켰을 때 — vpduser_both 에게 APAC 만 허용한 경우
# (sql/adb/03_seed.sql 하단 UPDATE 주석 해제 후)
sqlplus "vpduser_both/\"${VPDUSER_BOTH_PASSWORD}\"@$ADB_TNS"
SQL> SELECT region, COUNT(*) FROM admin.v_customers_pg GROUP BY region;
-- 결과: APAC 만 보임
# VPDUSER_B로:
sqlplus "vpduser_b/\"RowFilter#B2026\"@$ADB_TNS"
SQL> SELECT region, COUNT(*) FROM admin.v_customers_pg GROUP BY region;
-- 결과: APAC, EMEA, NA 모두 보임
```
---

5
docs/04-source-setup.md
View File

@@ -41,7 +41,7 @@ seed rows : 12 (PK 101~112, 역시 APAC/EMEA/AMER 4/4/4)
PK 범위를 PG (1~12) 와 다르게 가져간 이유:
* 두 소스는 서로 독립적인 별개의 데이터 라는 것을 데모에서 시각적으로 보여주기 위함
* `vpduser_b` 가 양쪽 뷰를 합칠 때 PK 가 겹치지 않아 UNION 데모하기 쉬움
* `vpduser_both` 가 양쪽 뷰를 합칠 때 PK 가 겹치지 않아 UNION 데모하기 쉬움
수동 실행:
@@ -68,7 +68,8 @@ DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK(
);
```
MySQL 도 동일 패턴, `db_type``'mysql'`.
MySQL 도 동일 패턴, `db_type``'mysql_community'` (AWS RDS MySQL 은 Community 빌드 — 기본
`'mysql'` 은 Enterprise Server 전용이라 `ORA-28500` 으로 거절됨).
링크 검증:

27
run.sh
View File

@@ -7,7 +7,7 @@
# ./run.sh prereq # 도구 존재 / .env 변수만 검증
# ./run.sh source # 원격 PG + MySQL 에 customers 테이블/seed 생성
# ./run.sh adb # ADB 측 cleanup → dblinks → perm/ctx/view/policy → end_users
# ./run.sh tests # vpduser_a / vpduser_b 로 접속해서 행 필터 검증
# ./run.sh tests # 4-user (my/pg/both/none) 로 접속해서 행 필터 검증
# ./run.sh audit # admin 으로 정책/뷰/유저 상태 점검
# ./run.sh all # source → adb → tests → audit
# ./run.sh teardown # ADB 측 객체 + 원격 link/cred 만 정리 (원격 PG/MySQL 데이터는 보존)
@@ -61,14 +61,16 @@ DEFINE MY_PORT = ${MY_PORT}
DEFINE MY_DB = "${MY_DB}"
DEFINE MY_USER = "${MY_USER}"
DEFINE MY_PASSWORD = "${MY_PASSWORD}"
DEFINE VPDUSER_A_PASSWORD = "${VPDUSER_A_PASSWORD}"
DEFINE VPDUSER_B_PASSWORD = "${VPDUSER_B_PASSWORD}"
DEFINE VPDUSER_MY_PASSWORD = "${VPDUSER_MY_PASSWORD}"
DEFINE VPDUSER_PG_PASSWORD = "${VPDUSER_PG_PASSWORD}"
DEFINE VPDUSER_BOTH_PASSWORD = "${VPDUSER_BOTH_PASSWORD}"
DEFINE VPDUSER_NONE_PASSWORD = "${VPDUSER_NONE_PASSWORD}"
@${sql_file}
SQLEOF
}
# ============================================================
# 헬퍼: 엔드유저 (vpduser_a / vpduser_b) 로 sqlplus 호출
# 헬퍼: 엔드유저 (vpduser_my / pg / both / none) 로 sqlplus 호출
# 인자: $1 = USER, $2 = PASSWORD, $3 = SQL 파일
# ============================================================
run_sqlplus_as() {
@@ -93,7 +95,8 @@ do_prereq() {
require_env \
TNS_ADMIN ADB_TNS ADB_USER \
VPDUSER_A_PASSWORD VPDUSER_B_PASSWORD \
VPDUSER_MY_PASSWORD VPDUSER_PG_PASSWORD \
VPDUSER_BOTH_PASSWORD VPDUSER_NONE_PASSWORD \
PG_HOST PG_PORT PG_DB PG_USER \
MY_HOST MY_PORT MY_DB MY_USER \
DBLINK_PG_NAME DBLINK_MY_NAME
@@ -140,15 +143,17 @@ do_adb() {
}
do_tests() {
log "=== tests: 엔드유저 권한/필터 검증 ==="
run_sqlplus_as vpduser_a "$VPDUSER_A_PASSWORD" "$ROOT/sql/adb/08_tests_user_a.sql"
run_sqlplus_as vpduser_b "$VPDUSER_B_PASSWORD" "$ROOT/sql/adb/09_tests_user_b.sql"
ok "user_a / user_b 테스트 실행 완료 (위 출력에서 행 수 / 거부 결과 확인)"
log "=== tests: 4-user access matrix 검증 ==="
run_sqlplus_as vpduser_my "$VPDUSER_MY_PASSWORD" "$ROOT/sql/adb/08_tests_user_my.sql"
run_sqlplus_as vpduser_pg "$VPDUSER_PG_PASSWORD" "$ROOT/sql/adb/09_tests_user_pg.sql"
run_sqlplus_as vpduser_both "$VPDUSER_BOTH_PASSWORD" "$ROOT/sql/adb/10_tests_user_both.sql"
run_sqlplus_as vpduser_none "$VPDUSER_NONE_PASSWORD" "$ROOT/sql/adb/11_tests_user_none.sql"
ok "4명 (MY / PG / BOTH / NONE) 테스트 실행 완료"
}
do_audit() {
log "=== audit: admin 으로 정책 / 뷰 / 유저 상태 점검 ==="
run_sqlplus_file "$ROOT/sql/adb/10_tests_admin_audit.sql"
log "=== audit: admin 으로 정책 / 뷰 / 매트릭스 점검 ==="
run_sqlplus_file "$ROOT/sql/adb/12_tests_admin_audit.sql"
ok "audit 완료"
}

14
sql/adb/00_cleanup.sql
View File

@@ -42,9 +42,19 @@ BEGIN EXECUTE IMMEDIATE 'DROP FUNCTION vpd_region_filter'; EXCEPTION WHEN OTHE
/
PROMPT === Dropping end-user accounts (cascade) ===
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_a CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_my CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_b CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_pg CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_both CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_none CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
-- Legacy names from the original 2-user scenario — kept for idempotent
-- re-runs over an already-installed POC.
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_a CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_b CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
PROMPT === Dropping permission tables ===

71
sql/adb/03_seed.sql
View File

@@ -1,9 +1,19 @@
-- ============================================================
-- 02_seed.sql
-- Seed two end-users with different permissions to demonstrate VPD.
-- 03_seed.sql
-- Seed FOUR end-users to demonstrate a 2x2 source-access matrix:
--
-- VPDUSER_A -> group KR_ANALYSTS -> allowed_regions = 'APAC'
-- VPDUSER_B -> group GLOBAL_ADMINS -> allowed_regions = '*' (all rows)
-- user PG view MySQL view VPD predicate effect
-- ------------- ----------- ------------ ---------------------------
-- VPDUSER_MY blocked ALL rows PG='1=0' / MY=NULL(='*')
-- VPDUSER_PG ALL rows blocked PG=NULL / MY='1=0'
-- VPDUSER_BOTH ALL rows ALL rows PG=NULL / MY=NULL
-- VPDUSER_NONE blocked blocked PG='1=0' / MY='1=0'
--
-- The `permission` table grants per (group, source/view).
-- For this simplified demo every grant uses allowed_regions='*'
-- (full visibility within the source). Row-level region filtering
-- is still supported by the policy function — see commented examples
-- at the bottom of this file for how to layer it in.
--
-- Run as ADMIN.
-- ============================================================
@@ -12,35 +22,66 @@ SET FEEDBACK ON
PROMPT === Seeding permission data ===
-- Tenant (kept generic — multi-tenant hook for future use).
INSERT INTO app_customer (customer_id, customer_name) VALUES (1, 'Acme Corp');
INSERT INTO app_user (user_id, db_username, customer_id) VALUES (1, 'VPDUSER_A', 1);
INSERT INTO app_user (user_id, db_username, customer_id) VALUES (2, 'VPDUSER_B', 1);
-- Four end-users, each Oracle SESSION_USER value (uppercased).
INSERT INTO app_user (user_id, db_username, customer_id) VALUES (1, 'VPDUSER_MY', 1);
INSERT INTO app_user (user_id, db_username, customer_id) VALUES (2, 'VPDUSER_PG', 1);
INSERT INTO app_user (user_id, db_username, customer_id) VALUES (3, 'VPDUSER_BOTH', 1);
INSERT INTO app_user (user_id, db_username, customer_id) VALUES (4, 'VPDUSER_NONE', 1);
INSERT INTO app_group (group_id, customer_id, group_name) VALUES (10, 1, 'KR_ANALYSTS');
INSERT INTO app_group (group_id, customer_id, group_name) VALUES (20, 1, 'GLOBAL_ADMINS');
-- One group per access pattern (1:1 in this demo; in production one
-- group typically aggregates many users).
INSERT INTO app_group (group_id, customer_id, group_name) VALUES (10, 1, 'MY_ONLY');
INSERT INTO app_group (group_id, customer_id, group_name) VALUES (20, 1, 'PG_ONLY');
INSERT INTO app_group (group_id, customer_id, group_name) VALUES (30, 1, 'BOTH_SOURCES');
-- (No group is needed for VPDUSER_NONE — absence of grants == fail-closed.)
-- A -> KR_ANALYSTS
-- (VPDUSER_NONE deliberately has no user_group row -> fail-closed.)
INSERT INTO user_group (user_id, group_id) VALUES (1, 10);
-- B -> GLOBAL_ADMINS
INSERT INTO user_group (user_id, group_id) VALUES (2, 20);
INSERT INTO user_group (user_id, group_id) VALUES (3, 30);
-- Source registry.
INSERT INTO db_source (source_id, source_name, source_type, dblink_name)
VALUES (100, 'RDS_POSTGRES', 'DBLINK_PG', 'RDS_POSTGRES_LINK');
INSERT INTO db_source (source_id, source_name, source_type, dblink_name)
VALUES (200, 'RDS_MYSQL', 'DBLINK_MY', 'RDS_LINK');
-- Permissions: KR analysts see APAC only; Global admins see everything.
-- Permissions: '*' means no row filter (full visibility on that view).
-- Mapping (group -> view):
-- MY_ONLY(10) -> V_CUSTOMERS_MY
-- PG_ONLY(20) -> V_CUSTOMERS_PG
-- BOTH_SOURCES(30) -> V_CUSTOMERS_PG + V_CUSTOMERS_MY
-- (VPDUSER_NONE has no group, hence no permission row.)
INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions)
VALUES (1, 10, 100, 'V_CUSTOMERS_PG', 'APAC');
VALUES (1, 10, 200, 'V_CUSTOMERS_MY', '*');
INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions)
VALUES (2, 10, 200, 'V_CUSTOMERS_MY', 'APAC');
VALUES (2, 20, 100, 'V_CUSTOMERS_PG', '*');
INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions)
VALUES (3, 20, 100, 'V_CUSTOMERS_PG', '*');
VALUES (3, 30, 100, 'V_CUSTOMERS_PG', '*');
INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions)
VALUES (4, 20, 200, 'V_CUSTOMERS_MY', '*');
VALUES (4, 30, 200, 'V_CUSTOMERS_MY', '*');
COMMIT;
-- ------------------------------------------------------------
-- HOW TO LAYER IN ROW-LEVEL REGION FILTERS (uncomment to try)
-- ------------------------------------------------------------
-- 'BOTH_SOURCES' showing only APAC from PG instead of '*':
-- UPDATE permission SET allowed_regions = 'APAC'
-- WHERE group_id = 30 AND object_name = 'V_CUSTOMERS_PG';
-- COMMIT;
--
-- Multi-region (CSV) example for the same group on MySQL:
-- UPDATE permission SET allowed_regions = 'APAC,EMEA'
-- WHERE group_id = 30 AND object_name = 'V_CUSTOMERS_MY';
-- COMMIT;
--
-- The policy function vpd_region_filter handles CSV → IN-list
-- conversion automatically. See sql/adb/06_policy.sql.
-- ------------------------------------------------------------
PROMPT === Seed complete ===
EXIT;

6
sql/adb/06a_redaction.sql
View File

@@ -6,8 +6,10 @@
-- PII columns (email, full_name) are MASKED unless the session
-- has full-region access ('*') on the corresponding view.
--
-- - VPDUSER_A (KR_ANALYSTS, regions = 'APAC') -> sees masked PII
-- - VPDUSER_B (GLOBAL_ADMINS, regions = '*') -> sees real PII
-- - VPDUSER_MY -> PG view masked, MY view unmasked (allowed '*')
-- - VPDUSER_PG -> PG view unmasked, MY view masked
-- - VPDUSER_BOTH -> both views unmasked
-- - VPDUSER_NONE -> both masked (but rows filtered to 0 anyway)
--
-- Reuses the secure VPD_CTX populated at logon — no new context.
-- Data Redaction and VPD compose: VPD filters rows first, Redaction

51
sql/adb/07_end_users.sql
View File

@@ -1,10 +1,11 @@
-- ============================================================
-- 07_end_users.sql
-- Create the two end-user accounts with MINIMAL privileges.
-- Create the FOUR end-user accounts with MINIMAL privileges.
-- Add a LOGON trigger that loads each user's context automatically.
-- Run as ADMIN.
--
-- DEFINE: &VPDUSER_A_PASSWORD, &VPDUSER_B_PASSWORD
-- DEFINE: &VPDUSER_MY_PASSWORD, &VPDUSER_PG_PASSWORD,
-- &VPDUSER_BOTH_PASSWORD, &VPDUSER_NONE_PASSWORD
-- ============================================================
SET ECHO OFF
SET FEEDBACK ON
@@ -13,25 +14,38 @@ SET DEFINE ON
PROMPT === Creating end-user accounts ===
-- Passwords come from .env (DEFINE) so they aren't hardcoded in source.
-- Production should use IAM / proxy auth / mTLS instead of static passwords.
CREATE USER vpduser_a IDENTIFIED BY "&VPDUSER_A_PASSWORD";
CREATE USER vpduser_b IDENTIFIED BY "&VPDUSER_B_PASSWORD";
CREATE USER vpduser_my IDENTIFIED BY "&VPDUSER_MY_PASSWORD";
CREATE USER vpduser_pg IDENTIFIED BY "&VPDUSER_PG_PASSWORD";
CREATE USER vpduser_both IDENTIFIED BY "&VPDUSER_BOTH_PASSWORD";
CREATE USER vpduser_none IDENTIFIED BY "&VPDUSER_NONE_PASSWORD";
-- ADB requires a tablespace quota even for read-only users in some setups; we
-- skip QUOTA since these users won't create objects.
GRANT CREATE SESSION TO vpduser_a;
GRANT CREATE SESSION TO vpduser_b;
-- Login privilege only. No QUOTA — these users never create objects.
GRANT CREATE SESSION TO vpduser_my;
GRANT CREATE SESSION TO vpduser_pg;
GRANT CREATE SESSION TO vpduser_both;
GRANT CREATE SESSION TO vpduser_none;
PROMPT === Granting SELECT on the policy-protected views ONLY ===
GRANT SELECT ON v_customers_pg TO vpduser_a;
GRANT SELECT ON v_customers_my TO vpduser_a;
GRANT SELECT ON v_customers_pg TO vpduser_b;
GRANT SELECT ON v_customers_my TO vpduser_b;
-- We deliberately grant SELECT on BOTH views to all four users.
-- The VPD policy decides what they actually see — including 0 rows
-- when there is no permission row. This is what makes the demo a
-- clean security boundary: revoking access doesn't mean revoking
-- the GRANT; it means removing the row in `permission`.
GRANT SELECT ON v_customers_pg TO vpduser_my;
GRANT SELECT ON v_customers_my TO vpduser_my;
GRANT SELECT ON v_customers_pg TO vpduser_pg;
GRANT SELECT ON v_customers_my TO vpduser_pg;
GRANT SELECT ON v_customers_pg TO vpduser_both;
GRANT SELECT ON v_customers_my TO vpduser_both;
GRANT SELECT ON v_customers_pg TO vpduser_none;
GRANT SELECT ON v_customers_my TO vpduser_none;
-- Allow them to call ctx_pkg.init (the logon trigger needs this, and a manual
-- re-init is sometimes useful). The package is bound to vpd_ctx so calling it
-- is harmless: it only ever loads the caller's OWN permissions.
GRANT EXECUTE ON ctx_pkg TO vpduser_a;
GRANT EXECUTE ON ctx_pkg TO vpduser_b;
-- ctx_pkg is bound to the secure context; calling it is harmless
-- (the package always loads ONLY the caller's own permissions).
GRANT EXECUTE ON ctx_pkg TO vpduser_my;
GRANT EXECUTE ON ctx_pkg TO vpduser_pg;
GRANT EXECUTE ON ctx_pkg TO vpduser_both;
GRANT EXECUTE ON ctx_pkg TO vpduser_none;
-- NOTE on what we are deliberately NOT granting:
-- * NO grant on app_user / permission / etc. -> users can't read who-can-see-what
@@ -46,7 +60,8 @@ CREATE OR REPLACE TRIGGER vpd_logon_trg
AFTER LOGON ON DATABASE
BEGIN
-- Only fire for our application end-users. ADMIN logons keep normal behavior.
IF SYS_CONTEXT('USERENV','SESSION_USER') IN ('VPDUSER_A','VPDUSER_B') THEN
IF SYS_CONTEXT('USERENV','SESSION_USER') IN
('VPDUSER_MY','VPDUSER_PG','VPDUSER_BOTH','VPDUSER_NONE') THEN
admin.ctx_pkg.init;
END IF;
EXCEPTION

45
sql/adb/08_tests_user_a.sql → sql/adb/08_tests_user_my.sql
View File

@@ -1,7 +1,13 @@
-- ============================================================
-- 07_tests_user_a.sql
-- Run as VPDUSER_A (group KR_ANALYSTS, allowed_regions=APAC).
-- Expected: only APAC rows visible; bypass attempts fail.
-- 08_tests_user_my.sql
-- Run as VPDUSER_MY (group MY_ONLY).
--
-- Expected:
-- - regions_pg = NULL -> policy returns '1=0' -> 0 rows from PG view
-- - regions_my = '*' -> policy returns NULL -> ALL rows from MySQL view
-- - email/full_name on MySQL view are unmasked ('*' bypasses redaction)
-- - all five bypass attempts fail (this is the full bypass-attempt suite;
-- the other three user tests rerun the most relevant subset only)
-- ============================================================
SET FEEDBACK ON
SET LINESIZE 200
@@ -9,42 +15,37 @@ SET PAGESIZE 100
PROMPT
PROMPT === Who am I, and what context did the LOGON trigger load? ===
SELECT USER AS session_user,
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
SELECT USER AS session_user,
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
FROM dual;
PROMPT
PROMPT === Distinct regions visible from Postgres view (expect: APAC only) ===
SELECT DISTINCT region FROM admin.v_customers_pg ORDER BY 1;
PROMPT
PROMPT === Distinct regions visible from MySQL view (expect: APAC only) ===
SELECT DISTINCT region FROM admin.v_customers_my ORDER BY 1;
PROMPT
PROMPT === Row counts ===
PROMPT === Row counts (expect: PG=0, MY=17) ===
SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
UNION ALL
SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my;
PROMPT
PROMPT === PII REDACTION (expect masked email/full_name: 'j****@...' / 'A****') ===
PROMPT === MySQL view sample (expect: ALL regions, UNMASKED email/full_name) ===
COLUMN customer_id FORMAT 9999
COLUMN full_name FORMAT A20
COLUMN email FORMAT A30
COLUMN region FORMAT A8
SELECT customer_id, full_name, email, region
FROM admin.v_customers_my
ORDER BY customer_id
FETCH FIRST 5 ROWS ONLY;
PROMPT
PROMPT === PG view sample (expect: NO ROWS fail closed) ===
SELECT customer_id, full_name, email, region
FROM admin.v_customers_pg
ORDER BY customer_id;
SELECT customer_id, full_name, email, region
FROM admin.v_customers_my
ORDER BY customer_id;
PROMPT
PROMPT === BYPASS 1: query remote table directly (expect ORA-00942 / privilege error) ===
PROMPT === BYPASS 1: query remote tables directly (expect ORA-00942 / privilege error) ===
WHENEVER SQLERROR CONTINUE;
SELECT COUNT(*) FROM "public"."customers"@RDS_POSTGRES_LINK;
SELECT COUNT(*) FROM "ecommerce_poc"."customers"@RDS_LINK;

46
sql/adb/09_tests_user_b.sql
View File

@@ -1,46 +0,0 @@
-- ============================================================
-- 08_tests_user_b.sql
-- Run as VPDUSER_B (group GLOBAL_ADMINS, allowed_regions=*).
-- Expected: ALL regions visible (no row filter).
-- ============================================================
SET FEEDBACK ON
SET LINESIZE 200
SET PAGESIZE 100
PROMPT
PROMPT === Who am I, and what context did the LOGON trigger load? ===
SELECT USER AS session_user,
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
FROM dual;
PROMPT
PROMPT === Distinct regions visible from Postgres view (expect: all regions) ===
SELECT DISTINCT region FROM admin.v_customers_pg ORDER BY 1;
PROMPT
PROMPT === Distinct regions visible from MySQL view (expect: all regions) ===
SELECT DISTINCT region FROM admin.v_customers_my ORDER BY 1;
PROMPT
PROMPT === Row counts (expect higher than VPDUSER_A) ===
SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
UNION ALL
SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my;
PROMPT
PROMPT === PII REDACTION (expect REAL email/full_name GLOBAL_ADMINS has '*' so no masking) ===
COLUMN customer_id FORMAT 9999
COLUMN full_name FORMAT A20
COLUMN email FORMAT A30
COLUMN region FORMAT A8
SELECT customer_id, full_name, email, region
FROM admin.v_customers_pg
ORDER BY customer_id;
SELECT customer_id, full_name, email, region
FROM admin.v_customers_my
ORDER BY customer_id;
EXIT;

44
sql/adb/09_tests_user_pg.sql Normal file
View File

@@ -0,0 +1,44 @@
-- ============================================================
-- 09_tests_user_pg.sql
-- Run as VPDUSER_PG (group PG_ONLY).
--
-- Expected (mirror of 08):
-- - regions_pg = '*' -> ALL rows from PG view, unmasked
-- - regions_my = NULL -> 0 rows from MySQL view
-- ============================================================
SET FEEDBACK ON
SET LINESIZE 200
SET PAGESIZE 100
PROMPT
PROMPT === Who am I, and what context did the LOGON trigger load? ===
SELECT USER AS session_user,
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
FROM dual;
PROMPT
PROMPT === Row counts (expect: PG=12, MY=0) ===
SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
UNION ALL
SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my;
PROMPT
PROMPT === PG view sample (expect: ALL regions, UNMASKED email/full_name) ===
COLUMN customer_id FORMAT 9999
COLUMN full_name FORMAT A20
COLUMN email FORMAT A30
COLUMN region FORMAT A8
SELECT customer_id, full_name, email, region
FROM admin.v_customers_pg
ORDER BY customer_id
FETCH FIRST 5 ROWS ONLY;
PROMPT
PROMPT === MySQL view sample (expect: NO ROWS fail closed) ===
SELECT customer_id, full_name, email, region
FROM admin.v_customers_my
ORDER BY customer_id;
EXIT;

45
sql/adb/10_tests_user_both.sql Normal file
View File

@@ -0,0 +1,45 @@
-- ============================================================
-- 10_tests_user_both.sql
-- Run as VPDUSER_BOTH (group BOTH_SOURCES).
--
-- Expected:
-- - regions_pg = '*' AND regions_my = '*'
-- - Both views fully visible, PII unmasked everywhere
-- ============================================================
SET FEEDBACK ON
SET LINESIZE 200
SET PAGESIZE 100
PROMPT
PROMPT === Who am I, and what context did the LOGON trigger load? ===
SELECT USER AS session_user,
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
FROM dual;
PROMPT
PROMPT === Row counts (expect: PG=12, MY=17) ===
SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
UNION ALL
SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my;
PROMPT
PROMPT === PG view sample (expect: UNMASKED) ===
COLUMN customer_id FORMAT 9999
COLUMN full_name FORMAT A20
COLUMN email FORMAT A30
COLUMN region FORMAT A8
SELECT customer_id, full_name, email, region
FROM admin.v_customers_pg
ORDER BY customer_id
FETCH FIRST 5 ROWS ONLY;
PROMPT
PROMPT === MySQL view sample (expect: UNMASKED) ===
SELECT customer_id, full_name, email, region
FROM admin.v_customers_my
ORDER BY customer_id
FETCH FIRST 5 ROWS ONLY;
EXIT;

53
sql/adb/11_tests_user_none.sql Normal file
View File

@@ -0,0 +1,53 @@
-- ============================================================
-- 11_tests_user_none.sql
-- Run as VPDUSER_NONE — the "default deny" case.
--
-- This user has CREATE SESSION and SELECT on both views, but ZERO
-- rows in the permission table. The LOGON trigger still fires and
-- ctx_pkg.init still runs — it just finds nothing to load.
--
-- Expected:
-- - regions_pg = NULL AND regions_my = NULL
-- - Both views return 0 rows (policy returns '1=0' / fail-closed)
-- - This proves the model is "deny by default" — adding a user
-- without a permission row is automatically safe.
-- ============================================================
SET FEEDBACK ON
SET LINESIZE 200
SET PAGESIZE 100
PROMPT
PROMPT === Who am I, and what context did the LOGON trigger load? ===
PROMPT === (expect: regions_pg and regions_my both NULL) ===
SELECT USER AS session_user,
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
FROM dual;
PROMPT
PROMPT === Row counts (expect: PG=0, MY=0 fail-closed) ===
SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
UNION ALL
SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my;
PROMPT
PROMPT === Confirm no rows leak through despite the GRANT on the view ===
SELECT * FROM admin.v_customers_pg WHERE ROWNUM <= 1;
SELECT * FROM admin.v_customers_my WHERE ROWNUM <= 1;
PROMPT
PROMPT === BYPASS: even with no permission row, all 4 bypass surfaces blocked ===
WHENEVER SQLERROR CONTINUE;
SELECT COUNT(*) FROM "public"."customers"@RDS_POSTGRES_LINK;
SELECT COUNT(*) FROM admin.permission;
BEGIN
DBMS_SESSION.SET_CONTEXT('VPD_CTX','V_CUSTOMERS_PG','*');
END;
/
BEGIN
DBMS_RLS.DROP_POLICY('ADMIN','V_CUSTOMERS_PG','CUSTOMERS_PG_POLICY');
END;
/
EXIT;

32
sql/adb/10_tests_admin_audit.sql → sql/adb/12_tests_admin_audit.sql
View File

@@ -1,6 +1,7 @@
-- ============================================================
-- 09_tests_admin_audit.sql
-- Run as ADMIN to audit / verify policy attachment.
-- 12_tests_admin_audit.sql
-- Run as ADMIN to audit / verify policy attachment and the
-- 4-user access matrix.
-- ============================================================
SET FEEDBACK ON
SET LINESIZE 220
@@ -14,7 +15,7 @@ COL sel FORMAT a3
COL enable FORMAT a6
PROMPT
PROMPT === Attached VPD policies ===
PROMPT === Attached VPD policies (expect rows for V_CUSTOMERS_PG and V_CUSTOMERS_MY) ===
SELECT object_name,
policy_name AS policy,
pf_owner,
@@ -24,6 +25,7 @@ SELECT object_name,
enable
FROM dba_policies
WHERE object_owner = USER
AND object_name IN ('V_CUSTOMERS_PG','V_CUSTOMERS_MY')
ORDER BY object_name, policy_name;
PROMPT
@@ -39,7 +41,7 @@ WHERE object_owner = USER
ORDER BY object_name, policy_name;
PROMPT
PROMPT === Redacted columns (which columns get masked, and how) ===
PROMPT === Redacted columns ===
COL object_name FORMAT a20
COL column_name FORMAT a15
COL function_type FORMAT a15
@@ -55,17 +57,27 @@ WHERE object_owner = USER
ORDER BY object_name, column_name;
PROMPT
PROMPT === Permission summary (who can see what) ===
PROMPT === 4-user access matrix (from permission table) ===
PROMPT === Expected: ===
PROMPT === VPDUSER_MY -> V_CUSTOMERS_MY '*' ===
PROMPT === VPDUSER_PG -> V_CUSTOMERS_PG '*' ===
PROMPT === VPDUSER_BOTH -> V_CUSTOMERS_PG '*' + V_CUSTOMERS_MY '*' ===
PROMPT === VPDUSER_NONE -> (no rows fail-closed by absence) ===
COL db_username FORMAT a14
COL group_name FORMAT a14
COL source_name FORMAT a14
COL object_name FORMAT a16
COL allowed_regions FORMAT a16
SELECT u.db_username,
g.group_name,
s.source_name,
p.object_name,
p.allowed_regions
FROM app_user u
JOIN user_group ug ON ug.user_id = u.user_id
JOIN app_group g ON g.group_id = ug.group_id
JOIN permission p ON p.group_id = g.group_id
JOIN db_source s ON s.source_id = p.source_id
ORDER BY u.db_username, p.object_name;
LEFT JOIN user_group ug ON ug.user_id = u.user_id
LEFT JOIN app_group g ON g.group_id = ug.group_id
LEFT JOIN permission p ON p.group_id = g.group_id
LEFT JOIN db_source s ON s.source_id = p.source_id
ORDER BY u.db_username, p.object_name NULLS LAST;
EXIT;