~linuxjedi/drizzle/trunk-bug-667053

# 5. Ensure that a stored procedure defined with SQL SECURITY DEFINER can be called/executed by any user, using only the privileges (including database access privileges) associated with the user who created the stored procedure.

# 6. Ensure that a stored procedure defined with SQL SECURITY INVOKER can be called/executed by any user, using only the privileges (including database access privileges) associated with the user executing the stored procedure.

# ==============================================================================

let $message= Section 3.1.6 - Privilege Checks:;

--source include/show_msg80.inc

connection default;

USE db_storedproc_1;

--source suite/funcs_1/include/show_connection.inc

# ------------------------------------------------------------------------------

let $message= Testcase 3.1.6.1:

-----------------

Ensure that no user may create a stored procedure without the GRANT CREATE

ROUTINE privilege.;

--source include/show_msg80.inc

create user 'user_1'@'localhost';

grant all on db_storedproc_1.* to 'user_1'@'localhost';

revoke create routine on db_storedproc_1.* from 'user_1'@'localhost';

flush privileges;

--disable_warnings

DROP PROCEDURE IF EXISTS sp1;

--enable_warnings

--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK

connect (user1a, localhost, user_1, , db_storedproc_1);

--source suite/funcs_1/include/show_connection.inc

USE db_storedproc_1;

delimiter //;

--error 1044

CREATE PROCEDURE sp1(v1 char(20))

BEGIN

SELECT * from db_storedproc_1.t6 where t6.f2= 'xyz';

END//

delimiter ;//

disconnect user1a;

# add privilege again and check

connection default;

USE db_storedproc_1;

--source suite/funcs_1/include/show_connection.inc

GRANT CREATE ROUTINE ON db_storedproc_1.* TO 'user_1'@'localhost';

--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK

connect (user1b, localhost, user_1, , db_storedproc_1);

--source suite/funcs_1/include/show_connection.inc

USE db_storedproc_1;

delimiter //;

CREATE PROCEDURE sp1(v1 char(20))

BEGIN

SELECT * from db_storedproc_1.t6 where t6.f2= 'xyz';

END//

delimiter ;//

disconnect user1b;

# cleanup

connection default;

USE db_storedproc_1;

--source suite/funcs_1/include/show_connection.inc

DROP USER 'user_1'@'localhost';

DROP PROCEDURE sp1;

# ------------------------------------------------------------------------------

let $message= Testcase 3.1.6.2:

-----------------

Ensure that root always has the GRANT CREATE ROUTINE privilege.

(checked by other testscases);

--source include/show_msg80.inc

# ------------------------------------------------------------------------------

let $message= Testcase 3.1.6.3:

-----------------

Ensure that a user with the GRANT CREATE ROUTINE privilege can always create

100

both a procedure and a function, on any appropriate database.

101

--source include/show_msg80.inc

102

103

104

create user 'user_1'@'localhost';

105

106

grant create routine on db_storedproc_1.* to 'user_1'@'localhost';

107

flush privileges;

108

109

# disconnect default;

110

--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK

111

connect (user2, localhost, user_1, , db_storedproc_1);

112

--source suite/funcs_1/include/show_connection.inc

113

114

--disable_warnings

115

DROP PROCEDURE IF EXISTS sp3;

116

DROP FUNCTION IF EXISTS fn1;

117

--enable_warnings

118

119

delimiter //;

120

CREATE PROCEDURE sp3(v1 char(20))

121

BEGIN

122

SELECT * from db_storedproc_1.t6 where t6.f2= 'xyz';

123

END//

124

delimiter ;//

125

126

delimiter //;

127

CREATE FUNCTION fn1(v1 int) returns int

128

BEGIN

129

return v1;

130

END//

131

delimiter ;//

132

133

disconnect user2;

134

135

# cleanup

136

connection default;

137

USE db_storedproc_1;

138

--source suite/funcs_1/include/show_connection.inc

139

140

drop user 'user_1'@'localhost';

141

DROP PROCEDURE sp3;

142

DROP FUNCTION fn1;

143

144

145

# ------------------------------------------------------------------------------

146

let $message= Testcase 3.1.6.4:

147

-----------------

148

Ensure that the default security provision of a stored procedure is SQL SECURITY

149

DEFINER.;

150

--source include/show_msg80.inc

151

152

CREATE USER 'user_1'@'localhost';

153

154

grant update on db_storedproc_1.t6 to 'user_1'@'localhost';

155

grant execute on db_storedproc_1.* to 'user_1'@'localhost';

156

flush privileges;

157

158

USE db_storedproc_1;

159

160

--disable_warnings

161

DROP PROCEDURE IF EXISTS sp4;

162

--enable_warnings

163

164

delimiter //;

165

CREATE PROCEDURE sp4(v1 char(20))

166

BEGIN

167

SELECT * from db_storedproc_1.t6 where t6.f2= 'xyz';

168

END//

169

delimiter ;//

170

171

#disconnect default;

172

173

--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK

174

connect (user3, localhost, user_1, , db_storedproc_1);

175

--source suite/funcs_1/include/show_connection.inc

176

177

USE db_storedproc_1;

178

CALL sp4('a');

179

180

--vertical_results

181

SELECT SPECIFIC_NAME, ROUTINE_SCHEMA, ROUTINE_NAME, ROUTINE_TYPE,

182

ROUTINE_BODY, ROUTINE_DEFINITION, IS_DETERMINISTIC,

183

SQL_DATA_ACCESS, SECURITY_TYPE, SQL_MODE, ROUTINE_COMMENT

184

FROM information_schema.routines

185

WHERE routine_schema LIKE 'db_sto%';

186

--horizontal_results

187

188

disconnect user3;

189

190

# cleanup

191

connection default;

192

--source suite/funcs_1/include/show_connection.inc

193

DROP PROCEDURE sp4;

194

DROP USER 'user_1'@'localhost';

195

196

197

# ------------------------------------------------------------------------------

198

let $message= Testcase 3.1.6.5:

199

-----------------

200

Ensure that a stored procedure defined with SQL SECURITY DEFINER can be

201

called/executed by any user, using only the privileges (including database

202

access privileges) associated with the user who created the stored procedure.;

203

--source include/show_msg80.inc

204

205

USE db_storedproc_1;

206

CREATE TABLE t3165 ( c1 char(20), c2 char(20), c3 date);

207

INSERT INTO t3165 VALUES ('inserted', 'outside of SP', NULL);

208

209

# creates procedures

210

create user 'user_1'@'localhost';

211

212

#executes procedure

213

create user 'user_2'@'localhost';

214

215

grant create routine on db_storedproc_1.* to 'user_1'@'localhost';

216

grant SELECT on db_storedproc_1.* to 'user_2'@'localhost';

217

grant execute on db_storedproc_1.* to 'user_2'@'localhost';

218

flush privileges;

219

220

--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK

221

connect (user5_1, localhost, user_1, , db_storedproc_1);

222

--source suite/funcs_1/include/show_connection.inc

223

224

delimiter //;

225

CREATE PROCEDURE sp5_s_i () sql security definer

226

BEGIN

227

SELECT * from db_storedproc_1.t3165;

228

insert into db_storedproc_1.t3165 values ('inserted', 'from sp5_s_i', 1000);

229

END//

230

231

CREATE PROCEDURE sp5_sel () sql security definer

232

BEGIN

233

SELECT * from db_storedproc_1.t3165;

234

END//

235

236

CREATE PROCEDURE sp5_ins () sql security definer

237

BEGIN

238

insert into db_storedproc_1.t3165 values ('inserted', 'from sp5_ins', 1000);

239

END//

240

delimiter ;//

241

242

disconnect user5_1;

243

244

--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK

245

connect (user5_2, localhost, user_2, , db_storedproc_1);

246

--source suite/funcs_1/include/show_connection.inc

247

248

--error 1142

249

CALL sp5_s_i();

250

--error 1142

251

CALL sp5_ins();

252

--error 1142

253

CALL sp5_sel();

254

255

# now 'add' INSERT to DEFINER

256

connection default;

257

--source suite/funcs_1/include/show_connection.inc

258

--error 1142

259

CALL sp5_sel();

260

grant insert on db_storedproc_1.* to 'user_1'@'localhost';

261

flush privileges;

262

263

connection user5_2;

264

--source suite/funcs_1/include/show_connection.inc

265

--error 1142

266

CALL sp5_s_i();

267

CALL sp5_ins();

268

--error 1142

269

CALL sp5_sel();

270

271

# now 'add' SELECT to DEFINER

272

connection default;

273

--source suite/funcs_1/include/show_connection.inc

274

--error 1142

275

CALL sp5_sel();

276

grant SELECT on db_storedproc_1.* to 'user_1'@'localhost';

277

#grant execute on db_storedproc_1.* to 'user_2'@'localhost';

278

flush privileges;

279

280

connection user5_2;

281

--source suite/funcs_1/include/show_connection.inc

282

CALL sp5_s_i();

283

CALL sp5_ins();

284

CALL sp5_sel();

285

286

# now revoke INSERT FROM DEFINER

287

connection default;

288

--source suite/funcs_1/include/show_connection.inc

289

REVOKE INSERT on db_storedproc_1.* from 'user_1'@'localhost';

290

flush privileges;

291

292

connection user5_2;

293

--source suite/funcs_1/include/show_connection.inc

294

--error 1142

295

CALL sp5_s_i();

296

--error 1142

297

CALL sp5_ins();

298

CALL sp5_sel();

299

300

# now revoke SELECT FROM DEFINER

301

connection default;

302

--source suite/funcs_1/include/show_connection.inc

303

REVOKE SELECT on db_storedproc_1.* from 'user_1'@'localhost';

304

flush privileges;

305

306

connection user5_2;

307

--source suite/funcs_1/include/show_connection.inc

308

--error 1142

309

CALL sp5_s_i();

310

--error 1142

311

CALL sp5_ins();

312

--error 1142

313

CALL sp5_sel();

314

315

# cleanup

316

disconnect user5_2;

317

connection default;

318

--source suite/funcs_1/include/show_connection.inc

319

320

DROP PROCEDURE sp5_s_i;

321

DROP PROCEDURE sp5_sel;

322

DROP PROCEDURE sp5_ins;

323

DROP TABLE t3165;

324

DROP USER 'user_1'@'localhost';

325

DROP USER 'user_2'@'localhost';

326

327

328

# ------------------------------------------------------------------------------

329

let $message= Testcase 3.1.6.6:

330

-----------------

331

Ensure that a stored procedure defined with SQL SECURITY INVOKER can be

332

called/executed by any user, using only the privileges (including database

333

access privileges) associated with the user executing the stored procedure.;

334

--source include/show_msg80.inc

335

336

USE db_storedproc_1;

337

CREATE TABLE t3166 ( c1 char(30) );

338

INSERT INTO db_storedproc_1.t3166 VALUES ('inserted outside SP');

339

340

# DEFINER

341

create user 'user_1'@'localhost';

342

343

# INVOKER

344

create user 'user_2'@'localhost';

345

346

GRANT CREATE ROUTINE ON db_storedproc_1.* TO 'user_1'@'localhost';

347

GRANT SELECT ON db_storedproc_1.* TO 'user_2'@'localhost';

348

GRANT EXECUTE ON db_storedproc_1.* TO 'user_2'@'localhost';

349

FLUSH PRIVILEGES;

350

351

--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK

352

connect (user6_1, localhost, user_1, , db_storedproc_1);

353

--source suite/funcs_1/include/show_connection.inc

354

355

delimiter //;

356

CREATE PROCEDURE sp3166_s_i () SQL SECURITY INVOKER

357

BEGIN

358

SELECT * from db_storedproc_1.t3166;

359

insert into db_storedproc_1.t3166 values ('inserted from sp3166_s_i');

360

END//

361

362

CREATE PROCEDURE sp3166_sel () SQL SECURITY INVOKER

363

BEGIN

364

SELECT * from db_storedproc_1.t3166;

365

END//

366

367

CREATE PROCEDURE sp3166_ins () SQL SECURITY INVOKER

368

BEGIN

369

insert into db_storedproc_1.t3166 values ('inserted from sp3166_ins');

370

END//

371

delimiter ;//

372

373

disconnect user6_1;

374

375

--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK

376

connect (user6_2, localhost, user_2, , db_storedproc_1);

377

--source suite/funcs_1/include/show_connection.inc

378

379

--error 1142

380

CALL sp3166_s_i();

381

--error 1142

382

CALL sp3166_ins();

383

CALL sp3166_sel();

384

385

# now 'add' INSERT to INVOKER

386

connection default;

387

--source suite/funcs_1/include/show_connection.inc

388

CALL sp3166_sel();

389

GRANT INSERT ON db_storedproc_1.* TO 'user_2'@'localhost';

390

FLUSH PRIVILEGES;

391

disconnect user6_2;

392

393

--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK

394

connect (user6_3, localhost, user_2, , db_storedproc_1);

395

--source suite/funcs_1/include/show_connection.inc

396

CALL sp3166_s_i();

397

CALL sp3166_ins();

398

CALL sp3166_sel();

399

disconnect user6_3;

400

401

# now 'remove' SELECT from INVOKER

402

connection default;

403

--source suite/funcs_1/include/show_connection.inc

404

CALL sp3166_sel();

405

REVOKE SELECT ON db_storedproc_1.* FROM 'user_2'@'localhost';

406

FLUSH PRIVILEGES;

407

408

--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK

409

connect (user6_4, localhost, user_2, , db_storedproc_1);

410

--source suite/funcs_1/include/show_connection.inc

411

--error 1142

412

CALL sp3166_s_i();

413

CALL sp3166_ins();

414

--error 1142

415

CALL sp3166_sel();

416

disconnect user6_4;

417

418

# now 'remove' EXECUTE FROM INVOKER

419

connection default;

420

CALL sp3166_s_i();

421

--source suite/funcs_1/include/show_connection.inc

422

REVOKE EXECUTE on db_storedproc_1.* FROM 'user_2'@'localhost';

423

FLUSH PRIVILEGES;

424

425

--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK

426

connect (user6_5, localhost, user_2, , db_storedproc_1);

427

--source suite/funcs_1/include/show_connection.inc

428

--error 1370

429

CALL sp3166_s_i();

430

--error 1370

431

CALL sp3166_ins();

432

--error 1370

433

CALL sp3166_sel();

434

disconnect user6_5;

435

436

# cleanup

437

connection default;

438

--source suite/funcs_1/include/show_connection.inc

439

440

DROP PROCEDURE sp3166_s_i;

441

DROP PROCEDURE sp3166_sel;

442

DROP PROCEDURE sp3166_ins;

443

DROP TABLE t3166;

444

DROP USER 'user_1'@'localhost';

445

DROP USER 'user_2'@'localhost';

446

447

448

# ==============================================================================

449

# USE the same .inc to cleanup before and after the test

450

--source suite/funcs_1/storedproc/cleanup_sp_tb.inc

451

452

# ==============================================================================

453

let $message= . +++ END OF SCRIPT +++;

454

--source include/show_msg80.inc

455

# ==============================================================================

Older »