diff options
Diffstat (limited to 'src/test')
| -rw-r--r-- | src/test/modules/test_rls_hooks/expected/test_rls_hooks.out | 7 | ||||
| -rw-r--r-- | src/test/modules/test_rls_hooks/sql/test_rls_hooks.sql | 8 | ||||
| -rw-r--r-- | src/test/modules/test_rls_hooks/test_rls_hooks.c | 5 |
3 files changed, 20 insertions, 0 deletions
diff --git a/src/test/modules/test_rls_hooks/expected/test_rls_hooks.out b/src/test/modules/test_rls_hooks/expected/test_rls_hooks.out index 3a7a4c329f3..4587eb014b7 100644 --- a/src/test/modules/test_rls_hooks/expected/test_rls_hooks.out +++ b/src/test/modules/test_rls_hooks/expected/test_rls_hooks.out @@ -13,6 +13,11 @@ CREATE TABLE rls_test_restrictive ( supervisor name, data integer ); +-- At least one permissive policy must exist, otherwise +-- the default deny policy will be applied. For +-- testing the only-restrictive-policies from the hook, +-- create a simple 'allow all' policy. +CREATE POLICY p1 ON rls_test_restrictive USING (true); -- initial test data INSERT INTO rls_test_restrictive VALUES ('r1','s1',1); INSERT INTO rls_test_restrictive VALUES ('r2','s2',2); @@ -109,6 +114,8 @@ RESET ROLE; -- Create "internal" policies, to check that the policies from -- the hooks are combined correctly. CREATE POLICY p1 ON rls_test_permissive USING (data % 2 = 0); +-- Remove the original allow-all policy +DROP POLICY p1 ON rls_test_restrictive; CREATE POLICY p1 ON rls_test_restrictive USING (data % 2 = 0); CREATE POLICY p1 ON rls_test_both USING (data % 2 = 0); SET ROLE r1; diff --git a/src/test/modules/test_rls_hooks/sql/test_rls_hooks.sql b/src/test/modules/test_rls_hooks/sql/test_rls_hooks.sql index ece4ab9dc94..3071213732f 100644 --- a/src/test/modules/test_rls_hooks/sql/test_rls_hooks.sql +++ b/src/test/modules/test_rls_hooks/sql/test_rls_hooks.sql @@ -17,6 +17,12 @@ CREATE TABLE rls_test_restrictive ( data integer ); +-- At least one permissive policy must exist, otherwise +-- the default deny policy will be applied. For +-- testing the only-restrictive-policies from the hook, +-- create a simple 'allow all' policy. +CREATE POLICY p1 ON rls_test_restrictive USING (true); + -- initial test data INSERT INTO rls_test_restrictive VALUES ('r1','s1',1); INSERT INTO rls_test_restrictive VALUES ('r2','s2',2); @@ -101,6 +107,8 @@ RESET ROLE; -- the hooks are combined correctly. CREATE POLICY p1 ON rls_test_permissive USING (data % 2 = 0); +-- Remove the original allow-all policy +DROP POLICY p1 ON rls_test_restrictive; CREATE POLICY p1 ON rls_test_restrictive USING (data % 2 = 0); CREATE POLICY p1 ON rls_test_both USING (data % 2 = 0); diff --git a/src/test/modules/test_rls_hooks/test_rls_hooks.c b/src/test/modules/test_rls_hooks/test_rls_hooks.c index d76b17ae46a..b96dbff9548 100644 --- a/src/test/modules/test_rls_hooks/test_rls_hooks.c +++ b/src/test/modules/test_rls_hooks/test_rls_hooks.c @@ -119,6 +119,11 @@ test_rls_hooks_permissive(CmdType cmdtype, Relation relation) /* * Return restrictive policies to be added + * + * Note that a permissive policy must exist or the default-deny policy + * will be included and nothing will be visible. If no filtering should + * be done except for the restrictive policy, then a single "USING (true)" + * permissive policy can be used; see the regression tests. */ List * test_rls_hooks_restrictive(CmdType cmdtype, Relation relation) |