Adds dds / dds-setup / dds-tests / dds-teardown subcommands so the
26ai Deep Data Security variant can be run from the same one-click
entry point. Not part of `./run.sh all` since DDS requires 26ai
(23.26.2+) which not every ADB has.
- sql/adb/14_tests_dds_user.sql: shared verification script for all
4 ddsuser_*; uses WHENEVER SQLERROR CONTINUE so the expected
ORA-00942 (deny-by-hiding) doesn't abort the script. Includes
bypass attempts against the underlying VPD views, raw DB Links,
and the VPD permission tables.
- sql/adb/15_dds_cleanup.sql: idempotent teardown for DDS objects
(data grants, end users, data roles, dds_db_role, DDS-only views).
- run.sh: do_dds_prereq / do_dds_setup / do_dds_tests /
do_dds_teardown helpers; dispatch case extended.
Also fixes a pre-existing secrets-leak gap: both 07_end_users.sql
and 13_dds_variant.sql had SET DEFINE ON without SET VERIFY OFF,
which causes sqlplus to echo the substituted DDL (including the
IDENTIFIED BY <password> clause) on the `new 1:` line. Added
SET VERIFY OFF.
E2E re-verified on ADB 23.26.2.2.0: matrix identical to manual run
(MY=17 / PG=12 / BOTH=12+17 / NONE=ORA-00942 on both), no password
in logs, dds-teardown leaves no residue.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1f4a9c7e64