Add the postgres tests in whatever state I left them in.

Author: orlitzky

Diff for: pg-test/01-create-actors.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+source ../default_psql_opts.sh
+
+#
+# Create the users/groups needed for the example
+#
+
+SQL="
+CREATE ROLE admins;
+CREATE ROLE customer_devs;
+
+CREATE USER anonymous;
+CREATE USER dba1 IN ROLE admins,customer_devs;
+CREATE USER alice IN ROLE customer_devs;
+CREATE USER bob IN ROLE customer_devs;
+
+CREATE DATABASE customer_project;
+CREATE DATABASE dba_project;
+"
+
+psql $PSQL_OPTS <<< "${SQL}";

Diff for: pg-test/02-create-permissions.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+source ../default_psql_opts.sh
+
+#
+# Are there any Postgres commands that you can insert here to make the
+# tests work? Note that this is already completely insane compared to
+# the filesystem example.
+#
+
+DATABASES="customer_project dba_project"
+
+ADMIN_QUERY="
+SELECT usename
+FROM (pg_user INNER JOIN pg_group
+      ON pg_user.usesysid = any(pg_group.grolist))
+WHERE pg_group.groname = 'admins';
+"
+ADMINS=$(psql $PSQL_OPTS        \
+              --no-align        \
+              --tuples-only     \
+              --dbname postgres \
+              <<< "${ADMIN_QUERY}" )
+
+DEV_QUERY="
+SELECT usename
+FROM (pg_user INNER JOIN pg_group
+      ON pg_user.usesysid = any(pg_group.grolist))
+WHERE pg_group.groname = 'customer_devs';
+"
+CUSTOMER_DEVS=$(psql $PSQL_OPTS        \
+                     --no-align        \
+                     --tuples-only     \
+                     --dbname postgres \
+                    <<< "${DEV_QUERY}" )
+
+ALL_USERS="${ADMINS} ${CUSTOMER_DEVS}"
+
+for database in $DATABASES; do
+    for user in $ALL_USERS; do
+	SQL="
+        GRANT ALL PRIVILEGES ON SCHEMA public TO admins;
+
+        ALTER DEFAULT PRIVILEGES FOR ROLE \"${user}\"
+          GRANT ALL PRIVILEGES ON TABLES TO admins;
+
+        ALTER DEFAULT PRIVILEGES FOR ROLE \"${user}\"
+          GRANT ALL PRIVILEGES ON SEQUENCES TO admins;
+
+        ALTER DEFAULT PRIVILEGES FOR ROLE \"${user}\"
+          GRANT ALL PRIVILEGES ON FUNCTIONS TO admins;
+
+        ALTER DEFAULT PRIVILEGES FOR ROLE \"${user}\"
+          GRANT ALL PRIVILEGES ON TYPES TO admins;
+        "
+	psql -q -U "${PSQL_USER}" -d "${database}" <<< "${SQL}"
+    done
+done
+
+
+for user in $ALL_USERS; do
+    SQL="
+    GRANT ALL PRIVILEGES ON SCHEMA public TO customer_devs;
+
+    ALTER DEFAULT PRIVILEGES FOR ROLE \"${user}\"
+      GRANT ALL PRIVILEGES ON TABLES TO customer_devs;
+
+    ALTER DEFAULT PRIVILEGES FOR ROLE \"${user}\"
+      GRANT ALL PRIVILEGES ON SEQUENCES TO customer_devs;
+
+    ALTER DEFAULT PRIVILEGES FOR ROLE \"${user}\"
+      GRANT ALL PRIVILEGES ON FUNCTIONS TO customer_devs;
+
+    ALTER DEFAULT PRIVILEGES FOR ROLE \"${user}\"
+      GRANT ALL PRIVILEGES ON TYPES TO customer_devs;
+    "
+
+    psql -q -U "${PSQL_USER}" -d customer_project <<< "${SQL}"
+
+    SQL="
+GRANT USAGE ON SCHEMA public TO anonymous;
+
+ALTER DEFAULT PRIVILEGES FOR ROLE \"${user}\"
+  GRANT SELECT ON TABLES TO anonymous;
+
+ALTER DEFAULT PRIVILEGES FOR ROLE \"${user}\"
+  GRANT SELECT ON SEQUENCES TO anonymous;
+"
+    psql -q -U "${PSQL_USER}" -d customer_project <<< "${SQL}"
+
+done
+

Diff for: pg-test/03-run-tests.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+source ../die.sh
+
+# Ignore expected errors.
+exec 2>/dev/null
+
+# The admins and customer-devs can create files in customer-project.
+
+psql -q -U alice -d customer_project -c 'CREATE TABLE alice ( id int );'
+psql -q -U bob -d customer_project -c 'CREATE TABLE bob ( id int );'
+psql -q -U dba1 -d customer_project -c 'CREATE TABLE dba1 ( id int );'
+
+# Each user can insert into the tables created by the others.
+psql -q -U bob -d customer_project -c 'INSERT INTO dba1 VALUES (1);' \
+    || die "bob can't modify dba1's table."
+
+psql -q -U dba1 -d customer_project -c 'INSERT INTO alice VALUES (1);' \
+    || die "dba1 can't modify alice's table."
+
+psql -q -U alice -d customer_project -c 'INSERT INTO bob VALUES (1);' \
+    || die "alice can't modify bob's table."
+
+# The anonymous user can read bob's table.
+psql -o /dev/null -q -U anonymous -d customer_project \
+    -c 'SELECT * FROM bob;' \
+    || die "The anonymous user can't read bob's table."
+
+# The admins' databases are accessible only to themselves.
+psql -q -U dba1 -d dba_project -c 'CREATE TABLE dba1 ( id int );'
+
+psql -q -U alice -d dba_project -c 'INSERT INTO dba1 VALUES (1);' \
+    && die "alice can modify dba1's table."
+

Diff for: pg-test/04-add-new-user-and-retest.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+source ../default_psql_opts.sh
+source ../die.sh
+
+# Ignore expected errors.
+exec 2>/dev/null
+
+#
+# Now we add another admin. He should be able to access everything
+# without having to go back and set permissions manually. Likewise,
+# other people should be able to modify his stuff.
+#
+psql $PSQL_OPTS -c 'CREATE USER dba2 in ROLE admins,customer_devs;'
+
+
+# dba2 is automatically allowed to modify alice's table.
+psql -q -U dba2 -d customer_project -c 'INSERT INTO alice VALUES (2);' \
+    || die "dba2 can't modify alice's table."
+
+# Now dba2 creates a file in the customer's project.
+psql -q -U dba2 -d customer_project -c 'CREATE TABLE dba2 ( id int );'
+
+# Alice can modify it.
+psql -U alice -d customer_project -c 'INSERT INTO dba2 VALUES (2);' \
+    || die "alice can't modify dba2's table."
+
+# And the anonymous user can read it.
+psql -o /dev/null -q -U anonymous -d customer_project \
+    -c 'SELECT * FROM dba2;' \
+    || die "The anonymous user can't read dba2's table."
+
+# dba2 should also be able to modify dba1's table.
+psql -q -U dba2 -d dba_project -c 'INSERT INTO dba1 VALUES (2);' \
+    || die "dba2 can't modify dba1's table."

Diff for: pg-test/05-destroy-actors.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+source ../default_psql_opts.sh
+
+# Ignore "does not exist" errors.
+exec 2>/dev/null
+
+#
+# Destroy the users/groups created for the test.
+#
+
+DROP_OPTS="-U ${PSQL_USER} --if-exists"
+
+dropuser $DROP_OPTS anonymous
+dropuser $DROP_OPTS dba1
+dropuser $DROP_OPTS dba2
+dropuser $DROP_OPTS alice
+dropuser $DROP_OPTS bob
+
+dropuser $DROP_OPTS admins
+dropuser $DROP_OPTS customer_devs
+
+#
+# Remove the databases and tables created during the test.
+#
+dropdb $DROP_OPTS customer_project
+dropdb $DROP_OPTS dba_project