joungmin/vpd-permission-poc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Pivot scenario from region-based 2 users to source-based 4 users

Browse Source 
Replaces the original APAC-vs-all 2-user demo (vpduser_a/b on
KR_ANALYSTS/GLOBAL_ADMINS groups) with a 2x2 source-access matrix:

  vpduser_my    -> MY_ONLY      group  -> MySQL view only
  vpduser_pg    -> PG_ONLY      group  -> Postgres view only
  vpduser_both  -> BOTH_SOURCES group  -> both views
  vpduser_none  -> (no group)          -> nothing (default deny)

Why: source-level segmentation is the more common production
permission story than region-level filtering. Region filtering
remains available as an opt-in variant via commented UPDATE in
sql/adb/03_seed.sql.

Key changes:
- 03_seed.sql, 07_end_users.sql, 00_cleanup.sql, .env.example,
  run.sh updated for the new 4-user model. All 4 users get
  identical view GRANTs; the only differentiator is the
  permission table (proves the model is "data-driven, not
  GRANT-driven").
- 08-11 split into one file per user: my (+ 5 bypass attempts),
  pg, both, none (default-deny verification).
- 12_tests_admin_audit.sql uses LEFT JOIN so vpduser_none shows
  up as NULL permissions, and filters by object_owner=USER to
  exclude cross-schema policies.
- Removed inline "-- comment" after ";" lines in 03_seed.sql:
  SQL*Plus silently skipped the inserts (documented gotcha).
- README.md + docs/01,02 updated for the 4-user matrix. docs/03
  detailed guide keeps the region-filter example but now has a
  preface explaining it's a variant of the default 4-user model.
- docs/04: db_type='mysql_community' note added (RDS MySQL).

E2E verified: PG=0/MY=17, PG=12/MY=0, PG=12/MY=17, PG=0/MY=0
plus all 5 bypass attempts blocked.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
devmrko
2026-05-26 14:42:11 +09:00
parent 68d53dc5a9
commit ed91306ee3
17 changed files with 424 additions and 191 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
sql/adb/00_cleanup.sql
View File

@@ -42,9 +42,19 @@ BEGIN EXECUTE IMMEDIATE 'DROP FUNCTION vpd_region_filter'; EXCEPTION WHEN OTHE
/
PROMPT === Dropping end-user accounts (cascade) ===
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_a CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_my CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_b CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_pg CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_both CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_none CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
-- Legacy names from the original 2-user scenario — kept for idempotent
-- re-runs over an already-installed POC.
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_a CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP USER vpduser_b CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
PROMPT === Dropping permission tables ===

71
sql/adb/03_seed.sql
View File

@@ -1,9 +1,19 @@
-- ============================================================
-- 02_seed.sql
-- Seed two end-users with different permissions to demonstrate VPD.
-- 03_seed.sql
-- Seed FOUR end-users to demonstrate a 2x2 source-access matrix:
--
-- VPDUSER_A -> group KR_ANALYSTS -> allowed_regions = 'APAC'
-- VPDUSER_B -> group GLOBAL_ADMINS -> allowed_regions = '*' (all rows)
-- user PG view MySQL view VPD predicate effect
-- ------------- ----------- ------------ ---------------------------
-- VPDUSER_MY blocked ALL rows PG='1=0' / MY=NULL(='*')
-- VPDUSER_PG ALL rows blocked PG=NULL / MY='1=0'
-- VPDUSER_BOTH ALL rows ALL rows PG=NULL / MY=NULL
-- VPDUSER_NONE blocked blocked PG='1=0' / MY='1=0'
--
-- The `permission` table grants per (group, source/view).
-- For this simplified demo every grant uses allowed_regions='*'
-- (full visibility within the source). Row-level region filtering
-- is still supported by the policy function — see commented examples
-- at the bottom of this file for how to layer it in.
--
-- Run as ADMIN.
-- ============================================================
@@ -12,35 +22,66 @@ SET FEEDBACK ON
PROMPT === Seeding permission data ===
-- Tenant (kept generic — multi-tenant hook for future use).
INSERT INTO app_customer (customer_id, customer_name) VALUES (1, 'Acme Corp');
INSERT INTO app_user (user_id, db_username, customer_id) VALUES (1, 'VPDUSER_A', 1);
INSERT INTO app_user (user_id, db_username, customer_id) VALUES (2, 'VPDUSER_B', 1);
-- Four end-users, each Oracle SESSION_USER value (uppercased).
INSERT INTO app_user (user_id, db_username, customer_id) VALUES (1, 'VPDUSER_MY', 1);
INSERT INTO app_user (user_id, db_username, customer_id) VALUES (2, 'VPDUSER_PG', 1);
INSERT INTO app_user (user_id, db_username, customer_id) VALUES (3, 'VPDUSER_BOTH', 1);
INSERT INTO app_user (user_id, db_username, customer_id) VALUES (4, 'VPDUSER_NONE', 1);
INSERT INTO app_group (group_id, customer_id, group_name) VALUES (10, 1, 'KR_ANALYSTS');
INSERT INTO app_group (group_id, customer_id, group_name) VALUES (20, 1, 'GLOBAL_ADMINS');
-- One group per access pattern (1:1 in this demo; in production one
-- group typically aggregates many users).
INSERT INTO app_group (group_id, customer_id, group_name) VALUES (10, 1, 'MY_ONLY');
INSERT INTO app_group (group_id, customer_id, group_name) VALUES (20, 1, 'PG_ONLY');
INSERT INTO app_group (group_id, customer_id, group_name) VALUES (30, 1, 'BOTH_SOURCES');
-- (No group is needed for VPDUSER_NONE — absence of grants == fail-closed.)
-- A -> KR_ANALYSTS
-- (VPDUSER_NONE deliberately has no user_group row -> fail-closed.)
INSERT INTO user_group (user_id, group_id) VALUES (1, 10);
-- B -> GLOBAL_ADMINS
INSERT INTO user_group (user_id, group_id) VALUES (2, 20);
INSERT INTO user_group (user_id, group_id) VALUES (3, 30);
-- Source registry.
INSERT INTO db_source (source_id, source_name, source_type, dblink_name)
VALUES (100, 'RDS_POSTGRES', 'DBLINK_PG', 'RDS_POSTGRES_LINK');
INSERT INTO db_source (source_id, source_name, source_type, dblink_name)
VALUES (200, 'RDS_MYSQL', 'DBLINK_MY', 'RDS_LINK');
-- Permissions: KR analysts see APAC only; Global admins see everything.
-- Permissions: '*' means no row filter (full visibility on that view).
-- Mapping (group -> view):
-- MY_ONLY(10) -> V_CUSTOMERS_MY
-- PG_ONLY(20) -> V_CUSTOMERS_PG
-- BOTH_SOURCES(30) -> V_CUSTOMERS_PG + V_CUSTOMERS_MY
-- (VPDUSER_NONE has no group, hence no permission row.)
INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions)
VALUES (1, 10, 100, 'V_CUSTOMERS_PG', 'APAC');
VALUES (1, 10, 200, 'V_CUSTOMERS_MY', '*');
INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions)
VALUES (2, 10, 200, 'V_CUSTOMERS_MY', 'APAC');
VALUES (2, 20, 100, 'V_CUSTOMERS_PG', '*');
INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions)
VALUES (3, 20, 100, 'V_CUSTOMERS_PG', '*');
VALUES (3, 30, 100, 'V_CUSTOMERS_PG', '*');
INSERT INTO permission (perm_id, group_id, source_id, object_name, allowed_regions)
VALUES (4, 20, 200, 'V_CUSTOMERS_MY', '*');
VALUES (4, 30, 200, 'V_CUSTOMERS_MY', '*');
COMMIT;
-- ------------------------------------------------------------
-- HOW TO LAYER IN ROW-LEVEL REGION FILTERS (uncomment to try)
-- ------------------------------------------------------------
-- 'BOTH_SOURCES' showing only APAC from PG instead of '*':
-- UPDATE permission SET allowed_regions = 'APAC'
-- WHERE group_id = 30 AND object_name = 'V_CUSTOMERS_PG';
-- COMMIT;
--
-- Multi-region (CSV) example for the same group on MySQL:
-- UPDATE permission SET allowed_regions = 'APAC,EMEA'
-- WHERE group_id = 30 AND object_name = 'V_CUSTOMERS_MY';
-- COMMIT;
--
-- The policy function vpd_region_filter handles CSV → IN-list
-- conversion automatically. See sql/adb/06_policy.sql.
-- ------------------------------------------------------------
PROMPT === Seed complete ===
EXIT;

6
sql/adb/06a_redaction.sql
View File

@@ -6,8 +6,10 @@
-- PII columns (email, full_name) are MASKED unless the session
-- has full-region access ('*') on the corresponding view.
--
-- - VPDUSER_A (KR_ANALYSTS, regions = 'APAC') -> sees masked PII
-- - VPDUSER_B (GLOBAL_ADMINS, regions = '*') -> sees real PII
-- - VPDUSER_MY -> PG view masked, MY view unmasked (allowed '*')
-- - VPDUSER_PG -> PG view unmasked, MY view masked
-- - VPDUSER_BOTH -> both views unmasked
-- - VPDUSER_NONE -> both masked (but rows filtered to 0 anyway)
--
-- Reuses the secure VPD_CTX populated at logon — no new context.
-- Data Redaction and VPD compose: VPD filters rows first, Redaction

51
sql/adb/07_end_users.sql
View File

@@ -1,10 +1,11 @@
-- ============================================================
-- 07_end_users.sql
-- Create the two end-user accounts with MINIMAL privileges.
-- Create the FOUR end-user accounts with MINIMAL privileges.
-- Add a LOGON trigger that loads each user's context automatically.
-- Run as ADMIN.
--
-- DEFINE: &VPDUSER_A_PASSWORD, &VPDUSER_B_PASSWORD
-- DEFINE: &VPDUSER_MY_PASSWORD, &VPDUSER_PG_PASSWORD,
-- &VPDUSER_BOTH_PASSWORD, &VPDUSER_NONE_PASSWORD
-- ============================================================
SET ECHO OFF
SET FEEDBACK ON
@@ -13,25 +14,38 @@ SET DEFINE ON
PROMPT === Creating end-user accounts ===
-- Passwords come from .env (DEFINE) so they aren't hardcoded in source.
-- Production should use IAM / proxy auth / mTLS instead of static passwords.
CREATE USER vpduser_a IDENTIFIED BY "&VPDUSER_A_PASSWORD";
CREATE USER vpduser_b IDENTIFIED BY "&VPDUSER_B_PASSWORD";
CREATE USER vpduser_my IDENTIFIED BY "&VPDUSER_MY_PASSWORD";
CREATE USER vpduser_pg IDENTIFIED BY "&VPDUSER_PG_PASSWORD";
CREATE USER vpduser_both IDENTIFIED BY "&VPDUSER_BOTH_PASSWORD";
CREATE USER vpduser_none IDENTIFIED BY "&VPDUSER_NONE_PASSWORD";
-- ADB requires a tablespace quota even for read-only users in some setups; we
-- skip QUOTA since these users won't create objects.
GRANT CREATE SESSION TO vpduser_a;
GRANT CREATE SESSION TO vpduser_b;
-- Login privilege only. No QUOTA — these users never create objects.
GRANT CREATE SESSION TO vpduser_my;
GRANT CREATE SESSION TO vpduser_pg;
GRANT CREATE SESSION TO vpduser_both;
GRANT CREATE SESSION TO vpduser_none;
PROMPT === Granting SELECT on the policy-protected views ONLY ===
GRANT SELECT ON v_customers_pg TO vpduser_a;
GRANT SELECT ON v_customers_my TO vpduser_a;
GRANT SELECT ON v_customers_pg TO vpduser_b;
GRANT SELECT ON v_customers_my TO vpduser_b;
-- We deliberately grant SELECT on BOTH views to all four users.
-- The VPD policy decides what they actually see — including 0 rows
-- when there is no permission row. This is what makes the demo a
-- clean security boundary: revoking access doesn't mean revoking
-- the GRANT; it means removing the row in `permission`.
GRANT SELECT ON v_customers_pg TO vpduser_my;
GRANT SELECT ON v_customers_my TO vpduser_my;
GRANT SELECT ON v_customers_pg TO vpduser_pg;
GRANT SELECT ON v_customers_my TO vpduser_pg;
GRANT SELECT ON v_customers_pg TO vpduser_both;
GRANT SELECT ON v_customers_my TO vpduser_both;
GRANT SELECT ON v_customers_pg TO vpduser_none;
GRANT SELECT ON v_customers_my TO vpduser_none;
-- Allow them to call ctx_pkg.init (the logon trigger needs this, and a manual
-- re-init is sometimes useful). The package is bound to vpd_ctx so calling it
-- is harmless: it only ever loads the caller's OWN permissions.
GRANT EXECUTE ON ctx_pkg TO vpduser_a;
GRANT EXECUTE ON ctx_pkg TO vpduser_b;
-- ctx_pkg is bound to the secure context; calling it is harmless
-- (the package always loads ONLY the caller's own permissions).
GRANT EXECUTE ON ctx_pkg TO vpduser_my;
GRANT EXECUTE ON ctx_pkg TO vpduser_pg;
GRANT EXECUTE ON ctx_pkg TO vpduser_both;
GRANT EXECUTE ON ctx_pkg TO vpduser_none;
-- NOTE on what we are deliberately NOT granting:
-- * NO grant on app_user / permission / etc. -> users can't read who-can-see-what
@@ -46,7 +60,8 @@ CREATE OR REPLACE TRIGGER vpd_logon_trg
AFTER LOGON ON DATABASE
BEGIN
-- Only fire for our application end-users. ADMIN logons keep normal behavior.
IF SYS_CONTEXT('USERENV','SESSION_USER') IN ('VPDUSER_A','VPDUSER_B') THEN
IF SYS_CONTEXT('USERENV','SESSION_USER') IN
('VPDUSER_MY','VPDUSER_PG','VPDUSER_BOTH','VPDUSER_NONE') THEN
admin.ctx_pkg.init;
END IF;
EXCEPTION

45
sql/adb/08_tests_user_a.sql → sql/adb/08_tests_user_my.sql
View File

@@ -1,7 +1,13 @@
-- ============================================================
-- 07_tests_user_a.sql
-- Run as VPDUSER_A (group KR_ANALYSTS, allowed_regions=APAC).
-- Expected: only APAC rows visible; bypass attempts fail.
-- 08_tests_user_my.sql
-- Run as VPDUSER_MY (group MY_ONLY).
--
-- Expected:
-- - regions_pg = NULL -> policy returns '1=0' -> 0 rows from PG view
-- - regions_my = '*' -> policy returns NULL -> ALL rows from MySQL view
-- - email/full_name on MySQL view are unmasked ('*' bypasses redaction)
-- - all five bypass attempts fail (this is the full bypass-attempt suite;
-- the other three user tests rerun the most relevant subset only)
-- ============================================================
SET FEEDBACK ON
SET LINESIZE 200
@@ -9,42 +15,37 @@ SET PAGESIZE 100
PROMPT
PROMPT === Who am I, and what context did the LOGON trigger load? ===
SELECT USER AS session_user,
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
SELECT USER AS session_user,
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
FROM dual;
PROMPT
PROMPT === Distinct regions visible from Postgres view (expect: APAC only) ===
SELECT DISTINCT region FROM admin.v_customers_pg ORDER BY 1;
PROMPT
PROMPT === Distinct regions visible from MySQL view (expect: APAC only) ===
SELECT DISTINCT region FROM admin.v_customers_my ORDER BY 1;
PROMPT
PROMPT === Row counts ===
PROMPT === Row counts (expect: PG=0, MY=17) ===
SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
UNION ALL
SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my;
PROMPT
PROMPT === PII REDACTION (expect masked email/full_name: 'j****@...' / 'A****') ===
PROMPT === MySQL view sample (expect: ALL regions, UNMASKED email/full_name) ===
COLUMN customer_id FORMAT 9999
COLUMN full_name FORMAT A20
COLUMN email FORMAT A30
COLUMN region FORMAT A8
SELECT customer_id, full_name, email, region
FROM admin.v_customers_my
ORDER BY customer_id
FETCH FIRST 5 ROWS ONLY;
PROMPT
PROMPT === PG view sample (expect: NO ROWS fail closed) ===
SELECT customer_id, full_name, email, region
FROM admin.v_customers_pg
ORDER BY customer_id;
SELECT customer_id, full_name, email, region
FROM admin.v_customers_my
ORDER BY customer_id;
PROMPT
PROMPT === BYPASS 1: query remote table directly (expect ORA-00942 / privilege error) ===
PROMPT === BYPASS 1: query remote tables directly (expect ORA-00942 / privilege error) ===
WHENEVER SQLERROR CONTINUE;
SELECT COUNT(*) FROM "public"."customers"@RDS_POSTGRES_LINK;
SELECT COUNT(*) FROM "ecommerce_poc"."customers"@RDS_LINK;

46
sql/adb/09_tests_user_b.sql
View File

@@ -1,46 +0,0 @@
-- ============================================================
-- 08_tests_user_b.sql
-- Run as VPDUSER_B (group GLOBAL_ADMINS, allowed_regions=*).
-- Expected: ALL regions visible (no row filter).
-- ============================================================
SET FEEDBACK ON
SET LINESIZE 200
SET PAGESIZE 100
PROMPT
PROMPT === Who am I, and what context did the LOGON trigger load? ===
SELECT USER AS session_user,
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
FROM dual;
PROMPT
PROMPT === Distinct regions visible from Postgres view (expect: all regions) ===
SELECT DISTINCT region FROM admin.v_customers_pg ORDER BY 1;
PROMPT
PROMPT === Distinct regions visible from MySQL view (expect: all regions) ===
SELECT DISTINCT region FROM admin.v_customers_my ORDER BY 1;
PROMPT
PROMPT === Row counts (expect higher than VPDUSER_A) ===
SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
UNION ALL
SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my;
PROMPT
PROMPT === PII REDACTION (expect REAL email/full_name GLOBAL_ADMINS has '*' so no masking) ===
COLUMN customer_id FORMAT 9999
COLUMN full_name FORMAT A20
COLUMN email FORMAT A30
COLUMN region FORMAT A8
SELECT customer_id, full_name, email, region
FROM admin.v_customers_pg
ORDER BY customer_id;
SELECT customer_id, full_name, email, region
FROM admin.v_customers_my
ORDER BY customer_id;
EXIT;

44
sql/adb/09_tests_user_pg.sql Normal file
View File

@@ -0,0 +1,44 @@
-- ============================================================
-- 09_tests_user_pg.sql
-- Run as VPDUSER_PG (group PG_ONLY).
--
-- Expected (mirror of 08):
-- - regions_pg = '*' -> ALL rows from PG view, unmasked
-- - regions_my = NULL -> 0 rows from MySQL view
-- ============================================================
SET FEEDBACK ON
SET LINESIZE 200
SET PAGESIZE 100
PROMPT
PROMPT === Who am I, and what context did the LOGON trigger load? ===
SELECT USER AS session_user,
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
FROM dual;
PROMPT
PROMPT === Row counts (expect: PG=12, MY=0) ===
SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
UNION ALL
SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my;
PROMPT
PROMPT === PG view sample (expect: ALL regions, UNMASKED email/full_name) ===
COLUMN customer_id FORMAT 9999
COLUMN full_name FORMAT A20
COLUMN email FORMAT A30
COLUMN region FORMAT A8
SELECT customer_id, full_name, email, region
FROM admin.v_customers_pg
ORDER BY customer_id
FETCH FIRST 5 ROWS ONLY;
PROMPT
PROMPT === MySQL view sample (expect: NO ROWS fail closed) ===
SELECT customer_id, full_name, email, region
FROM admin.v_customers_my
ORDER BY customer_id;
EXIT;

45
sql/adb/10_tests_user_both.sql Normal file
View File

@@ -0,0 +1,45 @@
-- ============================================================
-- 10_tests_user_both.sql
-- Run as VPDUSER_BOTH (group BOTH_SOURCES).
--
-- Expected:
-- - regions_pg = '*' AND regions_my = '*'
-- - Both views fully visible, PII unmasked everywhere
-- ============================================================
SET FEEDBACK ON
SET LINESIZE 200
SET PAGESIZE 100
PROMPT
PROMPT === Who am I, and what context did the LOGON trigger load? ===
SELECT USER AS session_user,
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
FROM dual;
PROMPT
PROMPT === Row counts (expect: PG=12, MY=17) ===
SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
UNION ALL
SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my;
PROMPT
PROMPT === PG view sample (expect: UNMASKED) ===
COLUMN customer_id FORMAT 9999
COLUMN full_name FORMAT A20
COLUMN email FORMAT A30
COLUMN region FORMAT A8
SELECT customer_id, full_name, email, region
FROM admin.v_customers_pg
ORDER BY customer_id
FETCH FIRST 5 ROWS ONLY;
PROMPT
PROMPT === MySQL view sample (expect: UNMASKED) ===
SELECT customer_id, full_name, email, region
FROM admin.v_customers_my
ORDER BY customer_id
FETCH FIRST 5 ROWS ONLY;
EXIT;

53
sql/adb/11_tests_user_none.sql Normal file
View File

@@ -0,0 +1,53 @@
-- ============================================================
-- 11_tests_user_none.sql
-- Run as VPDUSER_NONE — the "default deny" case.
--
-- This user has CREATE SESSION and SELECT on both views, but ZERO
-- rows in the permission table. The LOGON trigger still fires and
-- ctx_pkg.init still runs — it just finds nothing to load.
--
-- Expected:
-- - regions_pg = NULL AND regions_my = NULL
-- - Both views return 0 rows (policy returns '1=0' / fail-closed)
-- - This proves the model is "deny by default" — adding a user
-- without a permission row is automatically safe.
-- ============================================================
SET FEEDBACK ON
SET LINESIZE 200
SET PAGESIZE 100
PROMPT
PROMPT === Who am I, and what context did the LOGON trigger load? ===
PROMPT === (expect: regions_pg and regions_my both NULL) ===
SELECT USER AS session_user,
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
FROM dual;
PROMPT
PROMPT === Row counts (expect: PG=0, MY=0 fail-closed) ===
SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
UNION ALL
SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my;
PROMPT
PROMPT === Confirm no rows leak through despite the GRANT on the view ===
SELECT * FROM admin.v_customers_pg WHERE ROWNUM <= 1;
SELECT * FROM admin.v_customers_my WHERE ROWNUM <= 1;
PROMPT
PROMPT === BYPASS: even with no permission row, all 4 bypass surfaces blocked ===
WHENEVER SQLERROR CONTINUE;
SELECT COUNT(*) FROM "public"."customers"@RDS_POSTGRES_LINK;
SELECT COUNT(*) FROM admin.permission;
BEGIN
DBMS_SESSION.SET_CONTEXT('VPD_CTX','V_CUSTOMERS_PG','*');
END;
/
BEGIN
DBMS_RLS.DROP_POLICY('ADMIN','V_CUSTOMERS_PG','CUSTOMERS_PG_POLICY');
END;
/
EXIT;

32
sql/adb/10_tests_admin_audit.sql → sql/adb/12_tests_admin_audit.sql
View File

@@ -1,6 +1,7 @@
-- ============================================================
-- 09_tests_admin_audit.sql
-- Run as ADMIN to audit / verify policy attachment.
-- 12_tests_admin_audit.sql
-- Run as ADMIN to audit / verify policy attachment and the
-- 4-user access matrix.
-- ============================================================
SET FEEDBACK ON
SET LINESIZE 220
@@ -14,7 +15,7 @@ COL sel FORMAT a3
COL enable FORMAT a6
PROMPT
PROMPT === Attached VPD policies ===
PROMPT === Attached VPD policies (expect rows for V_CUSTOMERS_PG and V_CUSTOMERS_MY) ===
SELECT object_name,
policy_name AS policy,
pf_owner,
@@ -24,6 +25,7 @@ SELECT object_name,
enable
FROM dba_policies
WHERE object_owner = USER
AND object_name IN ('V_CUSTOMERS_PG','V_CUSTOMERS_MY')
ORDER BY object_name, policy_name;
PROMPT
@@ -39,7 +41,7 @@ WHERE object_owner = USER
ORDER BY object_name, policy_name;
PROMPT
PROMPT === Redacted columns (which columns get masked, and how) ===
PROMPT === Redacted columns ===
COL object_name FORMAT a20
COL column_name FORMAT a15
COL function_type FORMAT a15
@@ -55,17 +57,27 @@ WHERE object_owner = USER
ORDER BY object_name, column_name;
PROMPT
PROMPT === Permission summary (who can see what) ===
PROMPT === 4-user access matrix (from permission table) ===
PROMPT === Expected: ===
PROMPT === VPDUSER_MY -> V_CUSTOMERS_MY '*' ===
PROMPT === VPDUSER_PG -> V_CUSTOMERS_PG '*' ===
PROMPT === VPDUSER_BOTH -> V_CUSTOMERS_PG '*' + V_CUSTOMERS_MY '*' ===
PROMPT === VPDUSER_NONE -> (no rows fail-closed by absence) ===
COL db_username FORMAT a14
COL group_name FORMAT a14
COL source_name FORMAT a14
COL object_name FORMAT a16
COL allowed_regions FORMAT a16
SELECT u.db_username,
g.group_name,
s.source_name,
p.object_name,
p.allowed_regions
FROM app_user u
JOIN user_group ug ON ug.user_id = u.user_id
JOIN app_group g ON g.group_id = ug.group_id
JOIN permission p ON p.group_id = g.group_id
JOIN db_source s ON s.source_id = p.source_id
ORDER BY u.db_username, p.object_name;
LEFT JOIN user_group ug ON ug.user_id = u.user_id
LEFT JOIN app_group g ON g.group_id = ug.group_id
LEFT JOIN permission p ON p.group_id = g.group_id
LEFT JOIN db_source s ON s.source_id = p.source_id
ORDER BY u.db_username, p.object_name NULLS LAST;
EXIT;