1f4a9c7e64
Adds dds / dds-setup / dds-tests / dds-teardown subcommands so the 26ai Deep Data Security variant can be run from the same one-click entry point. Not part of `./run.sh all` since DDS requires 26ai (23.26.2+) which not every ADB has. - sql/adb/14_tests_dds_user.sql: shared verification script for all 4 ddsuser_*; uses WHENEVER SQLERROR CONTINUE so the expected ORA-00942 (deny-by-hiding) doesn't abort the script. Includes bypass attempts against the underlying VPD views, raw DB Links, and the VPD permission tables. - sql/adb/15_dds_cleanup.sql: idempotent teardown for DDS objects (data grants, end users, data roles, dds_db_role, DDS-only views). - run.sh: do_dds_prereq / do_dds_setup / do_dds_tests / do_dds_teardown helpers; dispatch case extended. Also fixes a pre-existing secrets-leak gap: both 07_end_users.sql and 13_dds_variant.sql had SET DEFINE ON without SET VERIFY OFF, which causes sqlplus to echo the substituted DDL (including the IDENTIFIED BY <password> clause) on the `new 1:` line. Added SET VERIFY OFF. E2E re-verified on ADB 23.26.2.2.0: matrix identical to manual run (MY=17 / PG=12 / BOTH=12+17 / NONE=ORA-00942 on both), no password in logs, dds-teardown leaves no residue. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
54 lines
2.2 KiB
SQL
54 lines
2.2 KiB
SQL
-- ============================================================
|
|
-- 15_dds_cleanup.sql
|
|
-- Idempotent teardown for the DDS variant (13_dds_variant.sql).
|
|
-- Safe to run before 13_dds_variant.sql to wipe partial state.
|
|
-- Errors are ignored (objects may not exist on first run).
|
|
-- Run as ADMIN.
|
|
-- ============================================================
|
|
WHENEVER SQLERROR CONTINUE NONE;
|
|
SET ECHO OFF
|
|
SET FEEDBACK OFF
|
|
|
|
PROMPT === Dropping DDS data grants (if present) ===
|
|
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT admin.dds_my_only_grant_mysql'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT admin.dds_pg_only_grant_pg'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT admin.dds_both_grant_pg'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT admin.dds_both_grant_mysql'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
|
|
PROMPT === Dropping DDS end users (no CASCADE — END USERs own no objects) ===
|
|
BEGIN EXECUTE IMMEDIATE 'DROP END USER "ddsuser_my"'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
BEGIN EXECUTE IMMEDIATE 'DROP END USER "ddsuser_pg"'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
BEGIN EXECUTE IMMEDIATE 'DROP END USER "ddsuser_both"'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
BEGIN EXECUTE IMMEDIATE 'DROP END USER "ddsuser_none"'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
|
|
PROMPT === Dropping DDS data roles (if present) ===
|
|
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE my_only_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE pg_only_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE both_sources_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE connect_only_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
|
|
PROMPT === Dropping DDS regular role (session-carrier) ===
|
|
BEGIN EXECUTE IMMEDIATE 'DROP ROLE dds_db_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
|
|
PROMPT === Dropping DDS-only views ===
|
|
BEGIN EXECUTE IMMEDIATE 'DROP VIEW v_dds_customers_pg'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
BEGIN EXECUTE IMMEDIATE 'DROP VIEW v_dds_customers_my'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
|
/
|
|
|
|
PROMPT === DDS cleanup complete ===
|
|
EXIT;
|