From ed91306ee37ccd63b0990efb8eee96f6f277da09 Mon Sep 17 00:00:00 2001 From: devmrko Date: Tue, 26 May 2026 14:42:11 +0900 Subject: [PATCH] Pivot scenario from region-based 2 users to source-based 4 users Replaces the original APAC-vs-all 2-user demo (vpduser_a/b on KR_ANALYSTS/GLOBAL_ADMINS groups) with a 2x2 source-access matrix: vpduser_my -> MY_ONLY group -> MySQL view only vpduser_pg -> PG_ONLY group -> Postgres view only vpduser_both -> BOTH_SOURCES group -> both views vpduser_none -> (no group) -> nothing (default deny) Why: source-level segmentation is the more common production permission story than region-level filtering. Region filtering remains available as an opt-in variant via commented UPDATE in sql/adb/03_seed.sql. Key changes: - 03_seed.sql, 07_end_users.sql, 00_cleanup.sql, .env.example, run.sh updated for the new 4-user model. All 4 users get identical view GRANTs; the only differentiator is the permission table (proves the model is "data-driven, not GRANT-driven"). - 08-11 split into one file per user: my (+ 5 bypass attempts), pg, both, none (default-deny verification). - 12_tests_admin_audit.sql uses LEFT JOIN so vpduser_none shows up as NULL permissions, and filters by object_owner=USER to exclude cross-schema policies. - Removed inline "-- comment" after ";" lines in 03_seed.sql: SQL*Plus silently skipped the inserts (documented gotcha). - README.md + docs/01,02 updated for the 4-user matrix. docs/03 detailed guide keeps the region-filter example but now has a preface explaining it's a variant of the default 4-user model. - docs/04: db_type='mysql_community' note added (RDS MySQL). E2E verified: PG=0/MY=17, PG=12/MY=0, PG=12/MY=17, PG=0/MY=0 plus all 5 bypass attempts blocked. Co-Authored-By: Claude Opus 4.6 --- .env.example | 11 ++- README.md | 48 ++++++---- docs/01-quickstart.md | 18 ++-- docs/02-architecture.md | 11 +-- docs/03-detailed-guide.md | 88 ++++++++++++------- docs/04-source-setup.md | 5 +- run.sh | 27 +++--- sql/adb/00_cleanup.sql | 14 ++- sql/adb/03_seed.sql | 71 +++++++++++---- sql/adb/06a_redaction.sql | 6 +- sql/adb/07_end_users.sql | 51 +++++++---- ..._tests_user_a.sql => 08_tests_user_my.sql} | 45 +++++----- sql/adb/09_tests_user_b.sql | 46 ---------- sql/adb/09_tests_user_pg.sql | 44 ++++++++++ sql/adb/10_tests_user_both.sql | 45 ++++++++++ sql/adb/11_tests_user_none.sql | 53 +++++++++++ ...min_audit.sql => 12_tests_admin_audit.sql} | 32 ++++--- 17 files changed, 424 insertions(+), 191 deletions(-) rename sql/adb/{08_tests_user_a.sql => 08_tests_user_my.sql} (59%) delete mode 100644 sql/adb/09_tests_user_b.sql create mode 100644 sql/adb/09_tests_user_pg.sql create mode 100644 sql/adb/10_tests_user_both.sql create mode 100644 sql/adb/11_tests_user_none.sql rename sql/adb/{10_tests_admin_audit.sql => 12_tests_admin_audit.sql} (54%) diff --git a/.env.example b/.env.example index fabeedd..cda7548 100644 --- a/.env.example +++ b/.env.example @@ -22,8 +22,15 @@ export ADB_PASSWORD="" # 비워두면 # --- (3) 데모용 ADB 엔드유저 비밀번호 (sql/adb/07_end_users.sql 에서 사용) --- # ADB 비번 정책: 12자 이상, 대/소/숫자/특수 조합. -export VPDUSER_A_PASSWORD="RowFilter#A2026" -export VPDUSER_B_PASSWORD="RowFilter#B2026" +# 4명의 데모 유저: +# vpduser_my → MySQL view 만 SELECT 가능 +# vpduser_pg → Postgres view 만 SELECT 가능 +# vpduser_both → 양쪽 view 모두 SELECT 가능 +# vpduser_none → 양쪽 view 모두 fail-closed (0 rows) +export VPDUSER_MY_PASSWORD="RowFilter#My2026" +export VPDUSER_PG_PASSWORD="RowFilter#Pg2026" +export VPDUSER_BOTH_PASSWORD="RowFilter#Both26" +export VPDUSER_NONE_PASSWORD="RowFilter#None26" # --- (4) 원격 Postgres (AWS RDS, Cloud SQL, ...) --- # sql/source/postgres_setup.sql 가 여기로 customers 테이블/seed 생성. diff --git a/README.md b/README.md index 876b390..f800258 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ End-to-End 데모입니다. | ADB - 컨텍스트 | `vpd_ctx` (Secure Application Context) + `ctx_pkg` | 로그인 시 권한을 세션 컨텍스트로 로딩 | | ADB - 뷰 | `v_customers_pg`, `v_customers_my` | DB Link 위의 통합 뷰. **이 뷰에만 VPD/Redaction 정책이 붙음** | | ADB - 정책 | `CUSTOMERS_PG_POLICY`, `CUSTOMERS_MY_POLICY`, `PII_REDACT_PG/MY` | VPD 행 필터 + 이메일 마스킹 | -| ADB - 엔드유저 | `vpduser_a`, `vpduser_b` | 최소 권한. 뷰만 SELECT 가능. LOGON 트리거로 컨텍스트 자동 로딩 | +| ADB - 엔드유저 | `vpduser_my`, `vpduser_pg`, `vpduser_both`, `vpduser_none` | 최소 권한. 뷰만 SELECT 가능. LOGON 트리거로 컨텍스트 자동 로딩 | --- @@ -44,7 +44,7 @@ $EDITOR .env 1. **prereq** — `sqlplus`, `psql`, `mysql` 존재 + `.env` 변수 검증 2. **source** — 원격 PG/MySQL 에 `customers` 테이블 + seed (멱등) 3. **adb** — ADB 측 cleanup → DB Link → 권한 테이블/seed → context/view/policy → 엔드유저 -4. **tests** — `vpduser_a` 와 `vpduser_b` 로 접속해 행 필터/마스킹 검증 +4. **tests** — 4 명 (`vpduser_my`/`vpduser_pg`/`vpduser_both`/`vpduser_none`) 로 접속해 행 필터/마스킹/default-deny 검증 5. **audit** — ADMIN 으로 정책/뷰/유저 상태 점검 세부 단계만 따로 돌리려면: @@ -73,23 +73,33 @@ $EDITOR .env --- -## 데모 시나리오 +## 데모 시나리오 — 2×2 source access matrix -`sql/adb/03_seed.sql` 의 매핑: +`sql/adb/03_seed.sql` 의 매핑 (4 유저, 4 케이스): -| DB 유저 | 그룹 | 볼 수 있는 region | -|---|---|---| -| `vpduser_a` | `KR_ANALYSTS` | `APAC` 만 | -| `vpduser_b` | `GLOBAL_ADMINS` | `*` (전체) | +| DB 유저 | 그룹 | PG 뷰 | MySQL 뷰 | VPD 결과 | +|---|---|---|---|---| +| `vpduser_my` | `MY_ONLY` | ✗ 0 rows | ✓ ALL | PG=`1=0` / MY=`NULL` | +| `vpduser_pg` | `PG_ONLY` | ✓ ALL | ✗ 0 rows | PG=`NULL` / MY=`1=0` | +| `vpduser_both` | `BOTH_SOURCES` | ✓ ALL | ✓ ALL | PG=`NULL` / MY=`NULL` | +| `vpduser_none` | (그룹 없음) | ✗ 0 rows | ✗ 0 rows | PG=`1=0` / MY=`1=0` (default deny) | -따라서: +핵심 포인트: -* `vpduser_a` 로 `SELECT * FROM admin.v_customers_pg` → APAC rows 만, 이메일 마스킹됨 -* `vpduser_b` 로 같은 쿼리 → 전체 rows, 이메일 원본 -* 누구든 원본 테이블 직접 접근 시도 (`@RDS_POSTGRES_LINK` 등) → 권한 없음 +* 네 유저 모두 **양쪽 뷰에 SELECT GRANT 는 동일하게 주어집니다.** 차이를 만드는 건 + GRANT 가 아니라 `permission` 테이블의 행. 즉 **권한 회수 = GRANT 해제가 아니라 + permission row 삭제**. +* `vpduser_none` 처럼 매핑이 아예 없는 유저는 자동으로 fail-closed + (`1=0` predicate) — **deny by default**. +* 누구든 원본 테이블 직접 접근 시도 (`@RDS_POSTGRES_LINK` 등) → 권한 없음. -`sql/adb/08_tests_user_a.sql` 가 우회 시도 5개 (DBMS_RLS 변경, 다른 유저 컨텍스트 -설정 등) 를 시도하고 모두 ORA-xxxxx 로 실패하는 것을 보여줍니다. +`sql/adb/08_tests_user_my.sql` 가 우회 시도 5개 (원격 직접 SELECT, 컨텍스트 +스푸핑, DBMS_RLS 변경, 매핑 테이블 SELECT) 를 시도하고 모두 ORA-xxxxx 로 실패하는 것을 +보여줍니다. 09/10/11 은 각 유저의 expected 행 수를 가볍게 확인합니다. + +> Row-level region 필터링 (예: `vpduser_both` 가 PG 는 APAC 만) 도 정책 함수에 +> 그대로 살아있습니다. `03_seed.sql` 하단의 주석 처리된 `UPDATE permission ... +> allowed_regions='APAC'` 한 줄이면 활성화됩니다. --- @@ -113,10 +123,12 @@ $EDITOR .env │ ├── 05_views.sql # DB Link 통합 뷰 │ ├── 06_policy.sql # VPD 정책 + 정책 함수 │ ├── 06a_redaction.sql # Data Redaction (이메일 마스킹) -│ ├── 07_end_users.sql # vpduser_a/b + LOGON 트리거 -│ ├── 08_tests_user_a.sql # APAC-only 검증 + 우회 시도 -│ ├── 09_tests_user_b.sql # GLOBAL_ADMIN 검증 -│ └── 10_tests_admin_audit.sql +│ ├── 07_end_users.sql # 4 유저 + LOGON 트리거 +│ ├── 08_tests_user_my.sql # MY only — 우회 시도 5종 포함 +│ ├── 09_tests_user_pg.sql # PG only +│ ├── 10_tests_user_both.sql # both +│ ├── 11_tests_user_none.sql # default deny (fail-closed) 검증 +│ └── 12_tests_admin_audit.sql └── docs/ └── 03-detailed-guide.md # 한국어 상세 설명 (아키텍처, 정책 로직, 운영 고려사항) ``` diff --git a/docs/01-quickstart.md b/docs/01-quickstart.md index b2daf62..bf9cf3c 100644 --- a/docs/01-quickstart.md +++ b/docs/01-quickstart.md @@ -53,8 +53,8 @@ $EDITOR .env | `PG_HOST` 등 | 원격 Postgres 연결정보 | | `MY_HOST` 등 | 원격 MySQL 연결정보 | -VPDUSER A/B 의 패스워드는 데모용 기본값이 들어있으니 그대로 써도 무방하지만, -공유 환경이면 바꿔주세요. +VPDUSER (`my` / `pg` / `both` / `none`) 의 패스워드는 데모용 기본값이 들어있으니 그대로 +써도 무방하지만, 공유 환경이면 바꿔주세요. --- @@ -71,7 +71,7 @@ VPDUSER A/B 의 패스워드는 데모용 기본값이 들어있으니 그대로 [ OK ] Postgres source 준비 완료 [ OK ] MySQL source 준비 완료 [ OK ] ADB setup 완료 -[ OK ] user_a / user_b 테스트 실행 완료 (위 출력에서 행 수 / 거부 결과 확인) +[ OK ] 4명 (MY / PG / BOTH / NONE) 테스트 실행 완료 (위 출력에서 행 수 / 거부 결과 확인) [ OK ] audit 완료 [ OK ] === ALL DONE — VPD POC 전체 파이프라인 통과 === ``` @@ -79,9 +79,15 @@ VPDUSER A/B 의 패스워드는 데모용 기본값이 들어있으니 그대로 이후 직접 검증해보고 싶으면: ```bash -# vpduser_a 로 접속 → APAC rows 만 보여야 함 -sqlplus vpduser_a/${VPDUSER_A_PASSWORD}@${ADB_TNS} -SQL> SELECT region, COUNT(*) FROM admin.v_customers_pg GROUP BY region; +# vpduser_pg 로 접속 → PG 뷰는 전부 보이고 MY 뷰는 0 rows 여야 함 +sqlplus vpduser_pg/${VPDUSER_PG_PASSWORD}@${ADB_TNS} +SQL> SELECT COUNT(*) FROM admin.v_customers_pg; -- 12 +SQL> SELECT COUNT(*) FROM admin.v_customers_my; -- 0 + +# vpduser_none 으로 접속 → 양쪽 뷰 모두 0 rows (default deny) +sqlplus vpduser_none/${VPDUSER_NONE_PASSWORD}@${ADB_TNS} +SQL> SELECT COUNT(*) FROM admin.v_customers_pg; -- 0 +SQL> SELECT COUNT(*) FROM admin.v_customers_my; -- 0 ``` --- diff --git a/docs/02-architecture.md b/docs/02-architecture.md index 1f8f08d..0ca83a2 100644 --- a/docs/02-architecture.md +++ b/docs/02-architecture.md @@ -43,7 +43,8 @@ LOGON 시 한 번만 읽으므로 쿼리 부하 0. ``` +---------------------+ - | vpduser_a / b | ← 사용자 로그인 + | vpduser_my / pg / | ← 사용자 로그인 + | both / none | +----------+----------+ | (1) LOGON 트리거 @@ -88,7 +89,7 @@ LOGON 시 한 번만 읽으므로 쿼리 부하 0. |---|---| | `app_customer` | 도메인의 "고객사" 개념 (멀티 테넌트 hook) | | `app_user` | DB 유저 → 도메인 유저 매핑 (`db_username` 컬럼이 핵심) | -| `app_group` | 그룹 (KR_ANALYSTS, GLOBAL_ADMINS, ...) | +| `app_group` | 그룹 (MY_ONLY, PG_ONLY, BOTH_SOURCES, ...) | | `user_group` | user ↔ group N:N | | `db_source` | 원본 소스 식별자 (PG, MY) | | `permission` | (group, source, region) 행 — `region='*'` 이면 전체 허용 | @@ -112,7 +113,7 @@ LOGON 시 한 번만 읽으므로 쿼리 부하 0. 4. 그 외 → `RETURN 'region IN (''APAC'',''EMEA'')'` 형식으로 in-list → 컨텍스트는 **Secure Application Context** (`USING ctx_pkg`) 라 다른 패키지에서 -설정 불가. `vpduser_a` 가 `DBMS_SESSION.SET_CONTEXT('VPD_CTX', ...)` 직접 호출 → +설정 불가. 엔드유저가 `DBMS_SESSION.SET_CONTEXT('VPD_CTX', ...)` 직접 호출 → ORA-01031. --- @@ -134,8 +135,8 @@ ORA-01031. | 누가 | 무엇을 할 수 있나 | |---|---| | `ADMIN` (ADB 관리자) | 전부 다. 정책 BYPASS. **운영에선 절대 일반 사용자에게 주지 말 것** | -| `vpduser_a/b` | (a) 자기에게 GRANT 된 뷰 SELECT, (b) `ctx_pkg.init` 호출 | -| `vpduser_a/b` 가 **못** 하는 것 | DBMS_RLS 변경, EXEMPT ACCESS POLICY, CREATE TABLE (스냅샷 방지), 매핑 테이블 직접 SELECT, DB Link 직접 SELECT | +| `vpduser_*` (my/pg/both/none) | (a) 자기에게 GRANT 된 뷰 SELECT, (b) `ctx_pkg.init` 호출 | +| `vpduser_*` 가 **못** 하는 것 | DBMS_RLS 변경, EXEMPT ACCESS POLICY, CREATE TABLE (스냅샷 방지), 매핑 테이블 직접 SELECT, DB Link 직접 SELECT | → 즉 엔드유저 입장에서 정책을 우회할 표면이 없습니다. `07_end_users.sql` 의 주석에서 "what we are deliberately NOT granting" 섹션이 그 목록. diff --git a/docs/03-detailed-guide.md b/docs/03-detailed-guide.md index 69a7d69..5a0335f 100644 --- a/docs/03-detailed-guide.md +++ b/docs/03-detailed-guide.md @@ -3,6 +3,13 @@ > **이 문서의 대상 독자:** 데이터베이스 보안이나 Oracle 기술에 익숙하지 않은 분. > 용어가 나올 때마다 풀어서 설명하고, 왜 그 장치가 필요한지를 함께 적습니다. +> **시나리오 안내:** 현재 `./run.sh` 가 자동으로 깔아주는 기본 시나리오는 4명의 +> 엔드유저 (`vpduser_my`/`pg`/`both`/`none`) 가 각각 다른 소스에 접근 가능한 **소스 +> 단위 매트릭스** 입니다 (README 참고). 본 상세 가이드는 그 위에 얹을 수 있는 **행 +> 단위 region 필터링** 변형(`KR_ANALYSTS → APAC`, `GLOBAL_ADMINS → '*'`) 을 예시로 +> 사용합니다 — VPD 메커니즘 자체는 동일하므로 개념 이해에는 차이가 없습니다. +> region 필터를 실제로 켜려면 `sql/adb/03_seed.sql` 하단의 주석을 해제하세요. + --- ## 목차 @@ -470,24 +477,35 @@ AUDIT POLICY vpd_view_access; ## 9. 디렉터리·파일 구조 ``` -ords/ -├── .env ← ADB 연결 정보 (비밀번호 포함, .gitignore 됨) -├── .gitignore ← .env, *.log 제외 -├── README.md ← (선택) 실행 가이드 -├── run_poc.sh ← 셋업/테스트/감사 일괄 실행 스크립트 +vpd-permission-poc/ +├── .env ← ADB + RDS 연결 정보 (.gitignore 됨) +├── .env.example +├── README.md ← 클론-앤-고 가이드 +├── run.sh ← 원클릭 오케스트레이터 +├── scripts/lib/common.sh ├── sql/ -│ ├── 00_cleanup.sql ← 초기화 (멱등성) -│ ├── 01_perm_tables.sql ← 권한 모델 6개 테이블 생성 -│ ├── 02_seed.sql ← 데모 데이터 주입 -│ ├── 03_secure_ctx.sql ← ctx_pkg + Secure Context 생성 -│ ├── 04_views.sql ← 외부 테이블에 대한 로컬 뷰 2개 -│ ├── 05_policy.sql ← VPD 정책 함수 + ADD_POLICY -│ ├── 06_end_users.sql ← 일반 사용자 2명 + LOGON 트리거 -│ ├── 07_tests_user_a.sql ← VPDUSER_A 입장에서 검증 -│ ├── 08_tests_user_b.sql ← VPDUSER_B 입장에서 검증 -│ └── 09_tests_admin_audit.sql ← ADMIN 입장에서 정책·권한 현황 감사 +│ ├── source/ +│ │ ├── postgres_setup.sql ← 원격 PG: customers + 12 rows +│ │ └── mysql_setup.sql ← 원격 MySQL: customers + 12 rows +│ └── adb/ +│ ├── 00_cleanup.sql ← 멱등 초기화 +│ ├── 01_dblinks.sql ← DB Link + credential +│ ├── 02_perm_tables.sql ← 권한 매핑 6개 테이블 +│ ├── 03_seed.sql ← 4-user 매트릭스 시드 +│ ├── 04_secure_ctx.sql ← ctx_pkg + Secure Context +│ ├── 05_views.sql ← DB Link 통합 뷰 +│ ├── 06_policy.sql ← VPD 정책 + 정책 함수 +│ ├── 06a_redaction.sql ← Data Redaction (이메일/이름 마스킹) +│ ├── 07_end_users.sql ← 4 유저 + LOGON 트리거 +│ ├── 08_tests_user_my.sql ← MY only + 우회 시도 5종 +│ ├── 09_tests_user_pg.sql ← PG only +│ ├── 10_tests_user_both.sql ← both +│ ├── 11_tests_user_none.sql ← default deny 검증 +│ └── 12_tests_admin_audit.sql └── docs/ - └── 설명.md ← (이 문서) + ├── 01-quickstart.md + ├── 02-architecture.md + └── 03-detailed-guide.md ← (이 문서) ``` --- @@ -495,18 +513,18 @@ ords/ ## 10. 실행 방법 ```bash -cd /Users/joungminko/devkit/ords +cd vpd-permission-poc -# 1) 전체 셋업 + 테스트 + 감사 한 번에 -./run_poc.sh all +# 1) 전체 파이프라인 한 번에 +./run.sh # = ./run.sh all # 또는 단계별로: -./run_poc.sh setup # 정리 + 모든 객체 생성 -./run_poc.sh test # VPDUSER_A, VPDUSER_B 시점 테스트 -./run_poc.sh audit # ADMIN 시점 정책·권한 감사 -./run_poc.sh teardown # 전부 삭제 - -# .env 파일이 있어야 합니다. (이 POC 에는 포함됨) +./run.sh prereq # 도구/.env 검증 +./run.sh source # 원격 PG + MySQL 에 customers 테이블/seed +./run.sh adb # ADB 측 cleanup → dblink → 권한/뷰/정책 → 4 유저 +./run.sh tests # 4 명 (MY/PG/BOTH/NONE) 시점 테스트 +./run.sh audit # ADMIN 시점 정책·권한 감사 +./run.sh teardown # ADB 측 객체 + dblink 정리 ``` ### 사람의 눈으로 직접 확인하고 싶을 때 @@ -514,15 +532,21 @@ cd /Users/joungminko/devkit/ords ```bash source .env -# VPDUSER_A로 직접 들어가서 쿼리해보기: -sqlplus "vpduser_a/\"RowFilter#A2026\"@$ADB_TNS" +# 기본 시나리오 — vpduser_pg: PG 뷰는 다 보이고 MySQL 뷰는 0 rows +sqlplus "vpduser_pg/\"${VPDUSER_PG_PASSWORD}\"@$ADB_TNS" +SQL> SELECT COUNT(*) FROM admin.v_customers_pg; -- 12 +SQL> SELECT COUNT(*) FROM admin.v_customers_my; -- 0 + +# vpduser_none — default deny +sqlplus "vpduser_none/\"${VPDUSER_NONE_PASSWORD}\"@$ADB_TNS" +SQL> SELECT COUNT(*) FROM admin.v_customers_pg; -- 0 +SQL> SELECT COUNT(*) FROM admin.v_customers_my; -- 0 + +# region 필터 변형을 켰을 때 — vpduser_both 에게 APAC 만 허용한 경우 +# (sql/adb/03_seed.sql 하단 UPDATE 주석 해제 후) +sqlplus "vpduser_both/\"${VPDUSER_BOTH_PASSWORD}\"@$ADB_TNS" SQL> SELECT region, COUNT(*) FROM admin.v_customers_pg GROUP BY region; -- 결과: APAC 만 보임 - -# VPDUSER_B로: -sqlplus "vpduser_b/\"RowFilter#B2026\"@$ADB_TNS" -SQL> SELECT region, COUNT(*) FROM admin.v_customers_pg GROUP BY region; --- 결과: APAC, EMEA, NA 모두 보임 ``` --- diff --git a/docs/04-source-setup.md b/docs/04-source-setup.md index 99f5378..ffb49cb 100644 --- a/docs/04-source-setup.md +++ b/docs/04-source-setup.md @@ -41,7 +41,7 @@ seed rows : 12 (PK 101~112, 역시 APAC/EMEA/AMER 4/4/4) PK 범위를 PG (1~12) 와 다르게 가져간 이유: * 두 소스는 서로 독립적인 별개의 데이터 라는 것을 데모에서 시각적으로 보여주기 위함 -* `vpduser_b` 가 양쪽 뷰를 합칠 때 PK 가 겹치지 않아 UNION 데모하기 쉬움 +* `vpduser_both` 가 양쪽 뷰를 합칠 때 PK 가 겹치지 않아 UNION 데모하기 쉬움 수동 실행: @@ -68,7 +68,8 @@ DBMS_CLOUD_ADMIN.CREATE_DATABASE_LINK( ); ``` -MySQL 도 동일 패턴, `db_type` 만 `'mysql'`. +MySQL 도 동일 패턴, `db_type` 만 `'mysql_community'` (AWS RDS MySQL 은 Community 빌드 — 기본 +`'mysql'` 은 Enterprise Server 전용이라 `ORA-28500` 으로 거절됨). 링크 검증: diff --git a/run.sh b/run.sh index 2e03257..9aebd5b 100755 --- a/run.sh +++ b/run.sh @@ -7,7 +7,7 @@ # ./run.sh prereq # 도구 존재 / .env 변수만 검증 # ./run.sh source # 원격 PG + MySQL 에 customers 테이블/seed 생성 # ./run.sh adb # ADB 측 cleanup → dblinks → perm/ctx/view/policy → end_users -# ./run.sh tests # vpduser_a / vpduser_b 로 접속해서 행 필터 검증 +# ./run.sh tests # 4-user (my/pg/both/none) 로 접속해서 행 필터 검증 # ./run.sh audit # admin 으로 정책/뷰/유저 상태 점검 # ./run.sh all # source → adb → tests → audit # ./run.sh teardown # ADB 측 객체 + 원격 link/cred 만 정리 (원격 PG/MySQL 데이터는 보존) @@ -61,14 +61,16 @@ DEFINE MY_PORT = ${MY_PORT} DEFINE MY_DB = "${MY_DB}" DEFINE MY_USER = "${MY_USER}" DEFINE MY_PASSWORD = "${MY_PASSWORD}" -DEFINE VPDUSER_A_PASSWORD = "${VPDUSER_A_PASSWORD}" -DEFINE VPDUSER_B_PASSWORD = "${VPDUSER_B_PASSWORD}" +DEFINE VPDUSER_MY_PASSWORD = "${VPDUSER_MY_PASSWORD}" +DEFINE VPDUSER_PG_PASSWORD = "${VPDUSER_PG_PASSWORD}" +DEFINE VPDUSER_BOTH_PASSWORD = "${VPDUSER_BOTH_PASSWORD}" +DEFINE VPDUSER_NONE_PASSWORD = "${VPDUSER_NONE_PASSWORD}" @${sql_file} SQLEOF } # ============================================================ -# 헬퍼: 엔드유저 (vpduser_a / vpduser_b) 로 sqlplus 호출 +# 헬퍼: 엔드유저 (vpduser_my / pg / both / none) 로 sqlplus 호출 # 인자: $1 = USER, $2 = PASSWORD, $3 = SQL 파일 # ============================================================ run_sqlplus_as() { @@ -93,7 +95,8 @@ do_prereq() { require_env \ TNS_ADMIN ADB_TNS ADB_USER \ - VPDUSER_A_PASSWORD VPDUSER_B_PASSWORD \ + VPDUSER_MY_PASSWORD VPDUSER_PG_PASSWORD \ + VPDUSER_BOTH_PASSWORD VPDUSER_NONE_PASSWORD \ PG_HOST PG_PORT PG_DB PG_USER \ MY_HOST MY_PORT MY_DB MY_USER \ DBLINK_PG_NAME DBLINK_MY_NAME @@ -140,15 +143,17 @@ do_adb() { } do_tests() { - log "=== tests: 엔드유저 권한/필터 검증 ===" - run_sqlplus_as vpduser_a "$VPDUSER_A_PASSWORD" "$ROOT/sql/adb/08_tests_user_a.sql" - run_sqlplus_as vpduser_b "$VPDUSER_B_PASSWORD" "$ROOT/sql/adb/09_tests_user_b.sql" - ok "user_a / user_b 테스트 실행 완료 (위 출력에서 행 수 / 거부 결과 확인)" + log "=== tests: 4-user access matrix 검증 ===" + run_sqlplus_as vpduser_my "$VPDUSER_MY_PASSWORD" "$ROOT/sql/adb/08_tests_user_my.sql" + run_sqlplus_as vpduser_pg "$VPDUSER_PG_PASSWORD" "$ROOT/sql/adb/09_tests_user_pg.sql" + run_sqlplus_as vpduser_both "$VPDUSER_BOTH_PASSWORD" "$ROOT/sql/adb/10_tests_user_both.sql" + run_sqlplus_as vpduser_none "$VPDUSER_NONE_PASSWORD" "$ROOT/sql/adb/11_tests_user_none.sql" + ok "4명 (MY / PG / BOTH / NONE) 테스트 실행 완료" } do_audit() { - log "=== audit: admin 으로 정책 / 뷰 / 유저 상태 점검 ===" - run_sqlplus_file "$ROOT/sql/adb/10_tests_admin_audit.sql" + log "=== audit: admin 으로 정책 / 뷰 / 매트릭스 점검 ===" + run_sqlplus_file "$ROOT/sql/adb/12_tests_admin_audit.sql" ok "audit 완료" } diff --git a/sql/adb/00_cleanup.sql b/sql/adb/00_cleanup.sql index 1193ee0..b906ae1 100644 --- a/sql/adb/00_cleanup.sql +++ b/sql/adb/00_cleanup.sql @@ -42,9 +42,19 @@ BEGIN EXECUTE IMMEDIATE 'DROP FUNCTION vpd_region_filter'; EXCEPTION WHEN OTHE / PROMPT === Dropping end-user accounts (cascade) === -BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_a CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END; +BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_my CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END; / -BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_b CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END; +BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_pg CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_both CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_none CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +-- Legacy names from the original 2-user scenario — kept for idempotent +-- re-runs over an already-installed POC. +BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_a CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ +BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_b CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END; / PROMPT === Dropping permission tables === diff --git a/sql/adb/03_seed.sql b/sql/adb/03_seed.sql index 804ac34..9223f3e 100644 --- a/sql/adb/03_seed.sql +++ b/sql/adb/03_seed.sql @@ -1,9 +1,19 @@ -- ============================================================ --- 02_seed.sql --- Seed two end-users with different permissions to demonstrate VPD. +-- 03_seed.sql +-- Seed FOUR end-users to demonstrate a 2x2 source-access matrix: -- --- VPDUSER_A -> group KR_ANALYSTS -> allowed_regions = 'APAC' --- VPDUSER_B -> group GLOBAL_ADMINS -> allowed_regions = '*' (all rows) +-- user PG view MySQL view VPD predicate effect +-- ------------- ----------- ------------ --------------------------- +-- VPDUSER_MY blocked ALL rows PG='1=0' / MY=NULL(='*') +-- VPDUSER_PG ALL rows blocked PG=NULL / MY='1=0' +-- VPDUSER_BOTH ALL rows ALL rows PG=NULL / MY=NULL +-- VPDUSER_NONE blocked blocked PG='1=0' / MY='1=0' +-- +-- The `permission` table grants per (group, source/view). +-- For this simplified demo every grant uses allowed_regions='*' +-- (full visibility within the source). Row-level region filtering +-- is still supported by the policy function — see commented examples +-- at the bottom of this file for how to layer it in. -- -- Run as ADMIN. -- ============================================================ @@ -12,35 +22,66 @@ SET FEEDBACK ON PROMPT === Seeding permission data === +-- Tenant (kept generic — multi-tenant hook for future use). INSERT INTO app_customer (customer_id, customer_name) VALUES (1, 'Acme Corp'); -INSERT INTO app_user (user_id, db_username, customer_id) VALUES (1, 'VPDUSER_A', 1); -INSERT INTO app_user (user_id, db_username, customer_id) VALUES (2, 'VPDUSER_B', 1); +-- Four end-users, each Oracle SESSION_USER value (uppercased). +INSERT INTO app_user (user_id, db_username, customer_id) VALUES (1, 'VPDUSER_MY', 1); +INSERT INTO app_user (user_id, db_username, customer_id) VALUES (2, 'VPDUSER_PG', 1); +INSERT INTO app_user (user_id, db_username, customer_id) VALUES (3, 'VPDUSER_BOTH', 1); +INSERT INTO app_user (user_id, db_username, customer_id) VALUES (4, 'VPDUSER_NONE', 1); -INSERT INTO app_group (group_id, customer_id, group_name) VALUES (10, 1, 'KR_ANALYSTS'); -INSERT INTO app_group (group_id, customer_id, group_name) VALUES (20, 1, 'GLOBAL_ADMINS'); +-- One group per access pattern (1:1 in this demo; in production one +-- group typically aggregates many users). +INSERT INTO app_group (group_id, customer_id, group_name) VALUES (10, 1, 'MY_ONLY'); +INSERT INTO app_group (group_id, customer_id, group_name) VALUES (20, 1, 'PG_ONLY'); +INSERT INTO app_group (group_id, customer_id, group_name) VALUES (30, 1, 'BOTH_SOURCES'); +-- (No group is needed for VPDUSER_NONE — absence of grants == fail-closed.) --- A -> KR_ANALYSTS +-- (VPDUSER_NONE deliberately has no user_group row -> fail-closed.) INSERT INTO user_group (user_id, group_id) VALUES (1, 10); --- B -> GLOBAL_ADMINS INSERT INTO user_group (user_id, group_id) VALUES (2, 20); +INSERT INTO user_group (user_id, group_id) VALUES (3, 30); +-- Source registry. INSERT INTO db_source (source_id, source_name, source_type, dblink_name) VALUES (100, 'RDS_POSTGRES', 'DBLINK_PG', 'RDS_POSTGRES_LINK'); INSERT INTO db_source (source_id, source_name, source_type, dblink_name) VALUES (200, 'RDS_MYSQL', 'DBLINK_MY', 'RDS_LINK'); --- Permissions: KR analysts see APAC only; Global admins see everything. +-- Permissions: '*' means no row filter (full visibility on that view). +-- Mapping (group -> view): +-- MY_ONLY(10) -> V_CUSTOMERS_MY +-- PG_ONLY(20) -> V_CUSTOMERS_PG +-- BOTH_SOURCES(30) -> V_CUSTOMERS_PG + V_CUSTOMERS_MY +-- (VPDUSER_NONE has no group, hence no permission row.) INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions) - VALUES (1, 10, 100, 'V_CUSTOMERS_PG', 'APAC'); + VALUES (1, 10, 200, 'V_CUSTOMERS_MY', '*'); INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions) - VALUES (2, 10, 200, 'V_CUSTOMERS_MY', 'APAC'); + VALUES (2, 20, 100, 'V_CUSTOMERS_PG', '*'); INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions) - VALUES (3, 20, 100, 'V_CUSTOMERS_PG', '*'); + VALUES (3, 30, 100, 'V_CUSTOMERS_PG', '*'); INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions) - VALUES (4, 20, 200, 'V_CUSTOMERS_MY', '*'); + VALUES (4, 30, 200, 'V_CUSTOMERS_MY', '*'); COMMIT; +-- ------------------------------------------------------------ +-- HOW TO LAYER IN ROW-LEVEL REGION FILTERS (uncomment to try) +-- ------------------------------------------------------------ +-- 'BOTH_SOURCES' showing only APAC from PG instead of '*': +-- UPDATE permission SET allowed_regions = 'APAC' +-- WHERE group_id = 30 AND object_name = 'V_CUSTOMERS_PG'; +-- COMMIT; +-- +-- Multi-region (CSV) example for the same group on MySQL: +-- UPDATE permission SET allowed_regions = 'APAC,EMEA' +-- WHERE group_id = 30 AND object_name = 'V_CUSTOMERS_MY'; +-- COMMIT; +-- +-- The policy function vpd_region_filter handles CSV → IN-list +-- conversion automatically. See sql/adb/06_policy.sql. +-- ------------------------------------------------------------ + PROMPT === Seed complete === EXIT; diff --git a/sql/adb/06a_redaction.sql b/sql/adb/06a_redaction.sql index b63335a..18459d2 100644 --- a/sql/adb/06a_redaction.sql +++ b/sql/adb/06a_redaction.sql @@ -6,8 +6,10 @@ -- PII columns (email, full_name) are MASKED unless the session -- has full-region access ('*') on the corresponding view. -- --- - VPDUSER_A (KR_ANALYSTS, regions = 'APAC') -> sees masked PII --- - VPDUSER_B (GLOBAL_ADMINS, regions = '*') -> sees real PII +-- - VPDUSER_MY -> PG view masked, MY view unmasked (allowed '*') +-- - VPDUSER_PG -> PG view unmasked, MY view masked +-- - VPDUSER_BOTH -> both views unmasked +-- - VPDUSER_NONE -> both masked (but rows filtered to 0 anyway) -- -- Reuses the secure VPD_CTX populated at logon — no new context. -- Data Redaction and VPD compose: VPD filters rows first, Redaction diff --git a/sql/adb/07_end_users.sql b/sql/adb/07_end_users.sql index 7070709..6221d2f 100644 --- a/sql/adb/07_end_users.sql +++ b/sql/adb/07_end_users.sql @@ -1,10 +1,11 @@ -- ============================================================ -- 07_end_users.sql --- Create the two end-user accounts with MINIMAL privileges. +-- Create the FOUR end-user accounts with MINIMAL privileges. -- Add a LOGON trigger that loads each user's context automatically. -- Run as ADMIN. -- --- DEFINE: &VPDUSER_A_PASSWORD, &VPDUSER_B_PASSWORD +-- DEFINE: &VPDUSER_MY_PASSWORD, &VPDUSER_PG_PASSWORD, +-- &VPDUSER_BOTH_PASSWORD, &VPDUSER_NONE_PASSWORD -- ============================================================ SET ECHO OFF SET FEEDBACK ON @@ -13,25 +14,38 @@ SET DEFINE ON PROMPT === Creating end-user accounts === -- Passwords come from .env (DEFINE) so they aren't hardcoded in source. -- Production should use IAM / proxy auth / mTLS instead of static passwords. -CREATE USER vpduser_a IDENTIFIED BY "&VPDUSER_A_PASSWORD"; -CREATE USER vpduser_b IDENTIFIED BY "&VPDUSER_B_PASSWORD"; +CREATE USER vpduser_my IDENTIFIED BY "&VPDUSER_MY_PASSWORD"; +CREATE USER vpduser_pg IDENTIFIED BY "&VPDUSER_PG_PASSWORD"; +CREATE USER vpduser_both IDENTIFIED BY "&VPDUSER_BOTH_PASSWORD"; +CREATE USER vpduser_none IDENTIFIED BY "&VPDUSER_NONE_PASSWORD"; --- ADB requires a tablespace quota even for read-only users in some setups; we --- skip QUOTA since these users won't create objects. -GRANT CREATE SESSION TO vpduser_a; -GRANT CREATE SESSION TO vpduser_b; +-- Login privilege only. No QUOTA — these users never create objects. +GRANT CREATE SESSION TO vpduser_my; +GRANT CREATE SESSION TO vpduser_pg; +GRANT CREATE SESSION TO vpduser_both; +GRANT CREATE SESSION TO vpduser_none; PROMPT === Granting SELECT on the policy-protected views ONLY === -GRANT SELECT ON v_customers_pg TO vpduser_a; -GRANT SELECT ON v_customers_my TO vpduser_a; -GRANT SELECT ON v_customers_pg TO vpduser_b; -GRANT SELECT ON v_customers_my TO vpduser_b; +-- We deliberately grant SELECT on BOTH views to all four users. +-- The VPD policy decides what they actually see — including 0 rows +-- when there is no permission row. This is what makes the demo a +-- clean security boundary: revoking access doesn't mean revoking +-- the GRANT; it means removing the row in `permission`. +GRANT SELECT ON v_customers_pg TO vpduser_my; +GRANT SELECT ON v_customers_my TO vpduser_my; +GRANT SELECT ON v_customers_pg TO vpduser_pg; +GRANT SELECT ON v_customers_my TO vpduser_pg; +GRANT SELECT ON v_customers_pg TO vpduser_both; +GRANT SELECT ON v_customers_my TO vpduser_both; +GRANT SELECT ON v_customers_pg TO vpduser_none; +GRANT SELECT ON v_customers_my TO vpduser_none; --- Allow them to call ctx_pkg.init (the logon trigger needs this, and a manual --- re-init is sometimes useful). The package is bound to vpd_ctx so calling it --- is harmless: it only ever loads the caller's OWN permissions. -GRANT EXECUTE ON ctx_pkg TO vpduser_a; -GRANT EXECUTE ON ctx_pkg TO vpduser_b; +-- ctx_pkg is bound to the secure context; calling it is harmless +-- (the package always loads ONLY the caller's own permissions). +GRANT EXECUTE ON ctx_pkg TO vpduser_my; +GRANT EXECUTE ON ctx_pkg TO vpduser_pg; +GRANT EXECUTE ON ctx_pkg TO vpduser_both; +GRANT EXECUTE ON ctx_pkg TO vpduser_none; -- NOTE on what we are deliberately NOT granting: -- * NO grant on app_user / permission / etc. -> users can't read who-can-see-what @@ -46,7 +60,8 @@ CREATE OR REPLACE TRIGGER vpd_logon_trg AFTER LOGON ON DATABASE BEGIN -- Only fire for our application end-users. ADMIN logons keep normal behavior. - IF SYS_CONTEXT('USERENV','SESSION_USER') IN ('VPDUSER_A','VPDUSER_B') THEN + IF SYS_CONTEXT('USERENV','SESSION_USER') IN + ('VPDUSER_MY','VPDUSER_PG','VPDUSER_BOTH','VPDUSER_NONE') THEN admin.ctx_pkg.init; END IF; EXCEPTION diff --git a/sql/adb/08_tests_user_a.sql b/sql/adb/08_tests_user_my.sql similarity index 59% rename from sql/adb/08_tests_user_a.sql rename to sql/adb/08_tests_user_my.sql index ad9f3b5..0836b6c 100644 --- a/sql/adb/08_tests_user_a.sql +++ b/sql/adb/08_tests_user_my.sql @@ -1,7 +1,13 @@ -- ============================================================ --- 07_tests_user_a.sql --- Run as VPDUSER_A (group KR_ANALYSTS, allowed_regions=APAC). --- Expected: only APAC rows visible; bypass attempts fail. +-- 08_tests_user_my.sql +-- Run as VPDUSER_MY (group MY_ONLY). +-- +-- Expected: +-- - regions_pg = NULL -> policy returns '1=0' -> 0 rows from PG view +-- - regions_my = '*' -> policy returns NULL -> ALL rows from MySQL view +-- - email/full_name on MySQL view are unmasked ('*' bypasses redaction) +-- - all five bypass attempts fail (this is the full bypass-attempt suite; +-- the other three user tests rerun the most relevant subset only) -- ============================================================ SET FEEDBACK ON SET LINESIZE 200 @@ -9,42 +15,37 @@ SET PAGESIZE 100 PROMPT PROMPT === Who am I, and what context did the LOGON trigger load? === -SELECT USER AS session_user, - SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id, - SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg, - SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my +SELECT USER AS session_user, + SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id, + SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg, + SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my FROM dual; PROMPT -PROMPT === Distinct regions visible from Postgres view (expect: APAC only) === -SELECT DISTINCT region FROM admin.v_customers_pg ORDER BY 1; - -PROMPT -PROMPT === Distinct regions visible from MySQL view (expect: APAC only) === -SELECT DISTINCT region FROM admin.v_customers_my ORDER BY 1; - -PROMPT -PROMPT === Row counts === +PROMPT === Row counts (expect: PG=0, MY=17) === SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg UNION ALL SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my; PROMPT -PROMPT === PII REDACTION (expect masked email/full_name: 'j****@...' / 'A****') === +PROMPT === MySQL view sample (expect: ALL regions, UNMASKED email/full_name) === COLUMN customer_id FORMAT 9999 COLUMN full_name FORMAT A20 COLUMN email FORMAT A30 COLUMN region FORMAT A8 SELECT customer_id, full_name, email, region +FROM admin.v_customers_my +ORDER BY customer_id +FETCH FIRST 5 ROWS ONLY; + +PROMPT +PROMPT === PG view sample (expect: NO ROWS — fail closed) === +SELECT customer_id, full_name, email, region FROM admin.v_customers_pg ORDER BY customer_id; -SELECT customer_id, full_name, email, region -FROM admin.v_customers_my -ORDER BY customer_id; - PROMPT -PROMPT === BYPASS 1: query remote table directly (expect ORA-00942 / privilege error) === +PROMPT === BYPASS 1: query remote tables directly (expect ORA-00942 / privilege error) === WHENEVER SQLERROR CONTINUE; SELECT COUNT(*) FROM "public"."customers"@RDS_POSTGRES_LINK; SELECT COUNT(*) FROM "ecommerce_poc"."customers"@RDS_LINK; diff --git a/sql/adb/09_tests_user_b.sql b/sql/adb/09_tests_user_b.sql deleted file mode 100644 index 2c95952..0000000 --- a/sql/adb/09_tests_user_b.sql +++ /dev/null @@ -1,46 +0,0 @@ --- ============================================================ --- 08_tests_user_b.sql --- Run as VPDUSER_B (group GLOBAL_ADMINS, allowed_regions=*). --- Expected: ALL regions visible (no row filter). --- ============================================================ -SET FEEDBACK ON -SET LINESIZE 200 -SET PAGESIZE 100 - -PROMPT -PROMPT === Who am I, and what context did the LOGON trigger load? === -SELECT USER AS session_user, - SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id, - SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg, - SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my -FROM dual; - -PROMPT -PROMPT === Distinct regions visible from Postgres view (expect: all regions) === -SELECT DISTINCT region FROM admin.v_customers_pg ORDER BY 1; - -PROMPT -PROMPT === Distinct regions visible from MySQL view (expect: all regions) === -SELECT DISTINCT region FROM admin.v_customers_my ORDER BY 1; - -PROMPT -PROMPT === Row counts (expect higher than VPDUSER_A) === -SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg -UNION ALL -SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my; - -PROMPT -PROMPT === PII REDACTION (expect REAL email/full_name — GLOBAL_ADMINS has '*' so no masking) === -COLUMN customer_id FORMAT 9999 -COLUMN full_name FORMAT A20 -COLUMN email FORMAT A30 -COLUMN region FORMAT A8 -SELECT customer_id, full_name, email, region -FROM admin.v_customers_pg -ORDER BY customer_id; - -SELECT customer_id, full_name, email, region -FROM admin.v_customers_my -ORDER BY customer_id; - -EXIT; diff --git a/sql/adb/09_tests_user_pg.sql b/sql/adb/09_tests_user_pg.sql new file mode 100644 index 0000000..9fce330 --- /dev/null +++ b/sql/adb/09_tests_user_pg.sql @@ -0,0 +1,44 @@ +-- ============================================================ +-- 09_tests_user_pg.sql +-- Run as VPDUSER_PG (group PG_ONLY). +-- +-- Expected (mirror of 08): +-- - regions_pg = '*' -> ALL rows from PG view, unmasked +-- - regions_my = NULL -> 0 rows from MySQL view +-- ============================================================ +SET FEEDBACK ON +SET LINESIZE 200 +SET PAGESIZE 100 + +PROMPT +PROMPT === Who am I, and what context did the LOGON trigger load? === +SELECT USER AS session_user, + SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id, + SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg, + SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my +FROM dual; + +PROMPT +PROMPT === Row counts (expect: PG=12, MY=0) === +SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg +UNION ALL +SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my; + +PROMPT +PROMPT === PG view sample (expect: ALL regions, UNMASKED email/full_name) === +COLUMN customer_id FORMAT 9999 +COLUMN full_name FORMAT A20 +COLUMN email FORMAT A30 +COLUMN region FORMAT A8 +SELECT customer_id, full_name, email, region +FROM admin.v_customers_pg +ORDER BY customer_id +FETCH FIRST 5 ROWS ONLY; + +PROMPT +PROMPT === MySQL view sample (expect: NO ROWS — fail closed) === +SELECT customer_id, full_name, email, region +FROM admin.v_customers_my +ORDER BY customer_id; + +EXIT; diff --git a/sql/adb/10_tests_user_both.sql b/sql/adb/10_tests_user_both.sql new file mode 100644 index 0000000..ed2716a --- /dev/null +++ b/sql/adb/10_tests_user_both.sql @@ -0,0 +1,45 @@ +-- ============================================================ +-- 10_tests_user_both.sql +-- Run as VPDUSER_BOTH (group BOTH_SOURCES). +-- +-- Expected: +-- - regions_pg = '*' AND regions_my = '*' +-- - Both views fully visible, PII unmasked everywhere +-- ============================================================ +SET FEEDBACK ON +SET LINESIZE 200 +SET PAGESIZE 100 + +PROMPT +PROMPT === Who am I, and what context did the LOGON trigger load? === +SELECT USER AS session_user, + SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id, + SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg, + SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my +FROM dual; + +PROMPT +PROMPT === Row counts (expect: PG=12, MY=17) === +SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg +UNION ALL +SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my; + +PROMPT +PROMPT === PG view sample (expect: UNMASKED) === +COLUMN customer_id FORMAT 9999 +COLUMN full_name FORMAT A20 +COLUMN email FORMAT A30 +COLUMN region FORMAT A8 +SELECT customer_id, full_name, email, region +FROM admin.v_customers_pg +ORDER BY customer_id +FETCH FIRST 5 ROWS ONLY; + +PROMPT +PROMPT === MySQL view sample (expect: UNMASKED) === +SELECT customer_id, full_name, email, region +FROM admin.v_customers_my +ORDER BY customer_id +FETCH FIRST 5 ROWS ONLY; + +EXIT; diff --git a/sql/adb/11_tests_user_none.sql b/sql/adb/11_tests_user_none.sql new file mode 100644 index 0000000..4b92ce3 --- /dev/null +++ b/sql/adb/11_tests_user_none.sql @@ -0,0 +1,53 @@ +-- ============================================================ +-- 11_tests_user_none.sql +-- Run as VPDUSER_NONE — the "default deny" case. +-- +-- This user has CREATE SESSION and SELECT on both views, but ZERO +-- rows in the permission table. The LOGON trigger still fires and +-- ctx_pkg.init still runs — it just finds nothing to load. +-- +-- Expected: +-- - regions_pg = NULL AND regions_my = NULL +-- - Both views return 0 rows (policy returns '1=0' / fail-closed) +-- - This proves the model is "deny by default" — adding a user +-- without a permission row is automatically safe. +-- ============================================================ +SET FEEDBACK ON +SET LINESIZE 200 +SET PAGESIZE 100 + +PROMPT +PROMPT === Who am I, and what context did the LOGON trigger load? === +PROMPT === (expect: regions_pg and regions_my both NULL) === +SELECT USER AS session_user, + SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id, + SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg, + SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my +FROM dual; + +PROMPT +PROMPT === Row counts (expect: PG=0, MY=0 — fail-closed) === +SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg +UNION ALL +SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my; + +PROMPT +PROMPT === Confirm no rows leak through despite the GRANT on the view === +SELECT * FROM admin.v_customers_pg WHERE ROWNUM <= 1; +SELECT * FROM admin.v_customers_my WHERE ROWNUM <= 1; + +PROMPT +PROMPT === BYPASS: even with no permission row, all 4 bypass surfaces blocked === +WHENEVER SQLERROR CONTINUE; +SELECT COUNT(*) FROM "public"."customers"@RDS_POSTGRES_LINK; +SELECT COUNT(*) FROM admin.permission; +BEGIN + DBMS_SESSION.SET_CONTEXT('VPD_CTX','V_CUSTOMERS_PG','*'); +END; +/ +BEGIN + DBMS_RLS.DROP_POLICY('ADMIN','V_CUSTOMERS_PG','CUSTOMERS_PG_POLICY'); +END; +/ + +EXIT; diff --git a/sql/adb/10_tests_admin_audit.sql b/sql/adb/12_tests_admin_audit.sql similarity index 54% rename from sql/adb/10_tests_admin_audit.sql rename to sql/adb/12_tests_admin_audit.sql index 19945f2..9b9cfcd 100644 --- a/sql/adb/10_tests_admin_audit.sql +++ b/sql/adb/12_tests_admin_audit.sql @@ -1,6 +1,7 @@ -- ============================================================ --- 09_tests_admin_audit.sql --- Run as ADMIN to audit / verify policy attachment. +-- 12_tests_admin_audit.sql +-- Run as ADMIN to audit / verify policy attachment and the +-- 4-user access matrix. -- ============================================================ SET FEEDBACK ON SET LINESIZE 220 @@ -14,7 +15,7 @@ COL sel FORMAT a3 COL enable FORMAT a6 PROMPT -PROMPT === Attached VPD policies === +PROMPT === Attached VPD policies (expect rows for V_CUSTOMERS_PG and V_CUSTOMERS_MY) === SELECT object_name, policy_name AS policy, pf_owner, @@ -24,6 +25,7 @@ SELECT object_name, enable FROM dba_policies WHERE object_owner = USER + AND object_name IN ('V_CUSTOMERS_PG','V_CUSTOMERS_MY') ORDER BY object_name, policy_name; PROMPT @@ -39,7 +41,7 @@ WHERE object_owner = USER ORDER BY object_name, policy_name; PROMPT -PROMPT === Redacted columns (which columns get masked, and how) === +PROMPT === Redacted columns === COL object_name FORMAT a20 COL column_name FORMAT a15 COL function_type FORMAT a15 @@ -55,17 +57,27 @@ WHERE object_owner = USER ORDER BY object_name, column_name; PROMPT -PROMPT === Permission summary (who can see what) === +PROMPT === 4-user access matrix (from permission table) === +PROMPT === Expected: === +PROMPT === VPDUSER_MY -> V_CUSTOMERS_MY '*' === +PROMPT === VPDUSER_PG -> V_CUSTOMERS_PG '*' === +PROMPT === VPDUSER_BOTH -> V_CUSTOMERS_PG '*' + V_CUSTOMERS_MY '*' === +PROMPT === VPDUSER_NONE -> (no rows — fail-closed by absence) === +COL db_username FORMAT a14 +COL group_name FORMAT a14 +COL source_name FORMAT a14 +COL object_name FORMAT a16 +COL allowed_regions FORMAT a16 SELECT u.db_username, g.group_name, s.source_name, p.object_name, p.allowed_regions FROM app_user u -JOIN user_group ug ON ug.user_id = u.user_id -JOIN app_group g ON g.group_id = ug.group_id -JOIN permission p ON p.group_id = g.group_id -JOIN db_source s ON s.source_id = p.source_id -ORDER BY u.db_username, p.object_name; +LEFT JOIN user_group ug ON ug.user_id = u.user_id +LEFT JOIN app_group g ON g.group_id = ug.group_id +LEFT JOIN permission p ON p.group_id = g.group_id +LEFT JOIN db_source s ON s.source_id = p.source_id +ORDER BY u.db_username, p.object_name NULLS LAST; EXIT;