--
-- Test for facilities of security label
--
-- initial setups
SET client_min_messages TO 'warning';
DROP ROLE IF EXISTS seclabel_user1;
DROP ROLE IF EXISTS seclabel_user2;
DROP TABLE IF EXISTS seclabel_tbl1;
DROP TABLE IF EXISTS seclabel_tbl2;
DROP TABLE IF EXISTS seclabel_tbl3;
CREATE USER seclabel_user1 WITH CREATEROLE;
CREATE USER seclabel_user2;
CREATE TABLE seclabel_tbl1 (a int, b text);
CREATE TABLE seclabel_tbl2 (x int, y text);
CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
CREATE DOMAIN seclabel_domain AS text;
ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
RESET client_min_messages;
--
-- Test of SECURITY LABEL statement without a plugin
--
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';			-- fail
ERROR:  no security label providers have been loaded
SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified';		-- fail
ERROR:  security label provider "dummy" is not loaded
SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';		-- fail
ERROR:  no security label providers have been loaded
SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';			-- fail
ERROR:  no security label providers have been loaded
SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';			-- fail
ERROR:  no security label providers have been loaded
SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified';		-- fail
ERROR:  security label provider "dummy" is not loaded
SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';		-- fail
ERROR:  no security label providers have been loaded
SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';			-- fail
ERROR:  no security label providers have been loaded
-- Load dummy external security provider
LOAD '@abs_builddir@/dummy_seclabel@DLSUFFIX@';
--
-- Test of SECURITY LABEL statement with a plugin
--
SET SESSION AUTHORIZATION seclabel_user1;
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';			-- OK
SECURITY LABEL ON COLUMN seclabel_tbl1.a IS 'unclassified';		-- OK
SECURITY LABEL ON COLUMN seclabel_tbl1 IS 'unclassified';	-- fail
ERROR:  column name must be qualified
SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';	-- fail
ERROR:  '...invalid label...' is not a valid security label
SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'unclassified';	-- OK
SECURITY LABEL FOR 'unknown_seclabel' ON TABLE seclabel_tbl1 IS 'classified';	-- fail
ERROR:  security label provider "unknown_seclabel" is not loaded
SECURITY LABEL ON TABLE seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
ERROR:  must be owner of relation seclabel_tbl2
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'secret';		-- fail (not superuser)
ERROR:  only superuser can set 'secret' label
SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';	-- fail (not found)
ERROR:  relation "seclabel_tbl3" does not exist
SET SESSION AUTHORIZATION seclabel_user2;
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'unclassified';		-- fail
ERROR:  must be owner of relation seclabel_tbl1
SECURITY LABEL ON TABLE seclabel_tbl2 IS 'classified';			-- OK
--
-- Test for shared database object
--
SET SESSION AUTHORIZATION seclabel_user1;
SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';			-- OK
SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';	-- fail
ERROR:  '...invalid label...' is not a valid security label
SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user2 IS 'unclassified';	-- OK
SECURITY LABEL FOR 'unknown_seclabel' ON ROLE seclabel_user1 IS 'unclassified';	-- fail
ERROR:  security label provider "unknown_seclabel" is not loaded
SECURITY LABEL ON ROLE seclabel_user1 IS 'secret';	-- fail (not superuser)
ERROR:  only superuser can set 'secret' label
SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';	-- fail (not found)
ERROR:  role "seclabel_user3" does not exist
SET SESSION AUTHORIZATION seclabel_user2;
SECURITY LABEL ON ROLE seclabel_user2 IS 'unclassified';	-- fail (not privileged)
ERROR:  must have CREATEROLE privilege
RESET SESSION AUTHORIZATION;
--
-- Test for various types of object
--
RESET SESSION AUTHORIZATION;
SECURITY LABEL ON TABLE seclabel_tbl1 IS 'top secret';			-- OK
SECURITY LABEL ON VIEW seclabel_view1 IS 'classified';			-- OK
SECURITY LABEL ON FUNCTION seclabel_four() IS 'classified';		-- OK
SECURITY LABEL ON DOMAIN seclabel_domain IS 'classified';		-- OK
CREATE SCHEMA seclabel_test;
SECURITY LABEL ON SCHEMA seclabel_test IS 'unclassified';		-- OK
SELECT objtype, objname, provider, label FROM pg_seclabels
	ORDER BY objtype, objname;
 objtype  |     objname     | provider |    label     
----------+-----------------+----------+--------------
 column   | seclabel_tbl1.a | dummy    | unclassified
 domain   | seclabel_domain | dummy    | classified
 function | seclabel_four() | dummy    | classified
 role     | seclabel_user1  | dummy    | classified
 role     | seclabel_user2  | dummy    | unclassified
 schema   | seclabel_test   | dummy    | unclassified
 table    | seclabel_tbl1   | dummy    | top secret
 table    | seclabel_tbl2   | dummy    | classified
 view     | seclabel_view1  | dummy    | classified
(9 rows)

-- clean up objects
DROP FUNCTION seclabel_four();
DROP DOMAIN seclabel_domain;
DROP VIEW seclabel_view1;
DROP TABLE seclabel_tbl1;
DROP TABLE seclabel_tbl2;
DROP USER seclabel_user1;
DROP USER seclabel_user2;
DROP SCHEMA seclabel_test;
-- make sure we don't have any leftovers
SELECT objtype, objname, provider, label FROM pg_seclabels
	ORDER BY objtype, objname;
 objtype | objname | provider | label 
---------+---------+----------+-------
(0 rows)