From 20b1c7f1e5375a7db0136a6332403d199beebd7f Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Thu, 22 Jun 2023 16:21:41 -0700 Subject: [PATCH v3 1/2] Add failing test for undumped extension table [backpatch to 11] Currently, SELECT permission is required for extension tables even if they're internal (i.e. undumpable) and have no RLS policies. Add a failing test for this situation. --- src/test/modules/test_pg_dump/t/001_base.pl | 63 +++++++++++++------ .../test_pg_dump/test_pg_dump--1.0.sql | 2 + 2 files changed, 47 insertions(+), 18 deletions(-) diff --git a/src/test/modules/test_pg_dump/t/001_base.pl b/src/test/modules/test_pg_dump/t/001_base.pl index 501aff0920..1f7553f9aa 100644 --- a/src/test/modules/test_pg_dump/t/001_base.pl +++ b/src/test/modules/test_pg_dump/t/001_base.pl @@ -169,6 +169,19 @@ my %pgdump_runs = ( 'postgres', ], }, + + # regress_dump_login_role shouldn't need SELECT rights on internal + # (undumped) extension tables + privileged_internals => { + dump_cmd => [ + 'pg_dump', '--no-sync', "--file=$tempdir/privileged_internals.sql", + # these two tables are irrelevant to the test case + '--exclude-table=regress_pg_dump_schema.external_tab', + '--exclude-table=regress_pg_dump_schema.extdependtab', + '--username=regress_dump_login_role', 'postgres', + ], + }, + schema_only => { dump_cmd => [ 'pg_dump', '--no-sync', "--file=$tempdir/schema_only.sql", @@ -228,14 +241,15 @@ my %pgdump_runs = ( # Tests which are considered 'full' dumps by pg_dump, but there # are flags used to exclude specific items (ACLs, blobs, etc). my %full_runs = ( - binary_upgrade => 1, - clean => 1, - clean_if_exists => 1, - createdb => 1, - defaults => 1, - exclude_table => 1, - no_privs => 1, - no_owner => 1,); + binary_upgrade => 1, + clean => 1, + clean_if_exists => 1, + createdb => 1, + defaults => 1, + exclude_table => 1, + no_privs => 1, + no_owner => 1, + privileged_internals => 1,); my %tests = ( 'ALTER EXTENSION test_pg_dump' => { @@ -271,6 +285,16 @@ my %tests = ( like => { pg_dumpall_globals => 1, }, }, + 'CREATE ROLE regress_dump_login_role' => { + create_order => 1, + create_sql => 'CREATE ROLE regress_dump_login_role LOGIN;', + regexp => qr/^ + \QCREATE ROLE regress_dump_login_role;\E + \n\QALTER ROLE regress_dump_login_role WITH \E.*\Q LOGIN \E.*; + \n/xm, + like => { pg_dumpall_globals => 1, }, + }, + 'CREATE SEQUENCE regress_pg_dump_table_col1_seq' => { regexp => qr/^ \QCREATE SEQUENCE public.regress_pg_dump_table_col1_seq\E @@ -608,11 +632,12 @@ my %tests = ( /xms, like => {%pgdump_runs}, unlike => { - data_only => 1, - extension_schema => 1, - pg_dumpall_globals => 1, - section_data => 1, - section_pre_data => 1, + data_only => 1, + extension_schema => 1, + pg_dumpall_globals => 1, + privileged_internals => 1, + section_data => 1, + section_pre_data => 1, }, }, @@ -622,11 +647,12 @@ my %tests = ( /xms, like => {%pgdump_runs}, unlike => { - data_only => 1, - extension_schema => 1, - pg_dumpall_globals => 1, - section_data => 1, - section_pre_data => 1, + data_only => 1, + extension_schema => 1, + pg_dumpall_globals => 1, + privileged_internals => 1, + section_data => 1, + section_pre_data => 1, }, }, @@ -644,6 +670,7 @@ my %tests = ( schema_only => 1, section_pre_data => 1, }, + unlike => { privileged_internals => 1 }, },); ######################################### diff --git a/src/test/modules/test_pg_dump/test_pg_dump--1.0.sql b/src/test/modules/test_pg_dump/test_pg_dump--1.0.sql index 110f7eef66..1c68e146d9 100644 --- a/src/test/modules/test_pg_dump/test_pg_dump--1.0.sql +++ b/src/test/modules/test_pg_dump/test_pg_dump--1.0.sql @@ -12,11 +12,13 @@ CREATE SEQUENCE regress_pg_dump_seq; CREATE SEQUENCE regress_seq_dumpable; SELECT pg_catalog.pg_extension_config_dump('regress_seq_dumpable', ''); +GRANT SELECT ON SEQUENCE regress_seq_dumpable TO public; CREATE TABLE regress_table_dumpable ( col1 int check (col1 > 0) ); SELECT pg_catalog.pg_extension_config_dump('regress_table_dumpable', ''); +GRANT SELECT ON regress_table_dumpable TO public; CREATE SCHEMA regress_pg_dump_schema; -- 2.25.1