diff --git a/src/test/regress/expected/role.out b/src/test/regress/expected/role.out new file mode 100644 index 0000000..7b8fcb9 --- /dev/null +++ b/src/test/regress/expected/role.out @@ -0,0 +1,309 @@ +-- +-- USER (ROLE) +-- Regression tests to check for ROLE related operations +-- +-- Should work. SET configuration during ALTER ROLE +-- This role is used at multiple places and so DROPped at the end +CREATE ROLE regress_rol_rol1; +ALTER ROLE regress_rol_rol1 SET SEED=0.5; +-- Should fail. Can't ALTER ROLE if it does not exist +ALTER ROLE regress_rol_rol1b SUPERUSER; +ERROR: role "regress_rol_rol1b" does not exist +ALTER ROLE regress_rol_rol1b SET SEED=0.5; +ERROR: role "regress_rol_rol1b" does not exist +-- Should fail. Can't CREATE SUPERUSER if not self a SUPERUSER +CREATE ROLE regress_rol_rol2; +SET ROLE regress_rol_rol2; +CREATE ROLE regress_rol_rol3 SUPERUSER; +ERROR: must be superuser to create superusers +RESET ROLE; +DROP ROLE regress_rol_rol2; +-- Should fail. Can't ALTER SUPERUSER if not self a SUPERUSER +CREATE ROLE regress_rol_rol2b; +CREATE ROLE regress_rol_rol3b; +SET ROLE regress_rol_rol2b; +ALTER ROLE regress_rol_rol3b SUPERUSER; +ERROR: must be superuser to alter superusers +RESET ROLE; +DROP ROLE regress_rol_rol3b; +DROP ROLE regress_rol_rol2b; +-- Should fail. Can't ALTER ROLE into a SUPERUSER if not self a SUPERUSER +CREATE ROLE regress_rol_rol4; +CREATE ROLE regress_rol_rol5; +SET ROLE regress_rol_rol4; +ALTER ROLE regress_rol_rol5 SUPERUSER; +ERROR: must be superuser to alter superusers +RESET ROLE; +DROP ROLE regress_rol_rol5; +DROP ROLE regress_rol_rol4; +-- Should fail. Can't ALTER ROLE on existing SUPERUSER if not self a SUPERUSER +CREATE ROLE regress_rol_rol6 SUPERUSER; +CREATE ROLE regress_rol_rol7; +SET ROLE regress_rol_rol7; +ALTER ROLE regress_rol_rol6 NOSUPERUSER; +ERROR: must be superuser to alter superusers +ALTER ROLE regress_rol_rol6 SET SEED=0.5; +ERROR: must be superuser to alter superusers +RESET ROLE; +DROP ROLE regress_rol_rol7; +DROP ROLE regress_rol_rol6; +-- Should fail. Can't ALTER another ROLE without CREATE ROLE privilege +CREATE ROLE regress_rol_rol7; +CREATE ROLE regress_rol_rol8; +SET ROLE regress_rol_rol8; +ALTER ROLE regress_rol_rol7 SET SEED = 0.5; +ERROR: permission denied +ALTER ROLE regress_rol_rol7 VALID UNTIL '9999/1/1'; +ERROR: permission denied +RESET ROLE; +DROP ROLE regress_rol_rol8; +DROP ROLE regress_rol_rol7; +-- Should work. Do an ALTER ROLE SET on a database variable +CREATE SCHEMA schema_ro9; +SET ROLE regress_rol_rol1; +ALTER ROLE regress_rol_rol1 SET search_path TO schema_ro9, public; +RESET ROLE; +DROP SCHEMA schema_ro9; +-- Should fail. ALTER ROLE on valid DB entities but non-existent roles +CREATE SCHEMA schema_ro11; +ALTER ROLE schema_ro11 SET search_path TO schema_ro11, public; +ERROR: role "schema_ro11" does not exist +DROP SCHEMA schema_ro11; +-- Should fail. Can't ALTER ROLE on REPLICATION user if not self a SUPERUSER +CREATE ROLE regress_rol_rol12; +CREATE ROLE regress_rol_rol13 WITH REPLICATION; +SET ROLE regress_rol_rol12; +ALTER ROLE regress_rol_rol13 SET SEED = 0.5; +ERROR: permission denied +ALTER ROLE regress_rol_rol13 NOREPLICATION; +ERROR: must be superuser to alter replication users +DROP ROLE regress_rol_rol13; +ERROR: permission denied to drop role +RESET ROLE; +DROP ROLE regress_rol_rol13; +DROP ROLE regress_rol_rol12; +-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD +ALTER ROLE regress_rol_rol1 WITH ENCRYPTED PASSWORD 'abc'; +ALTER ROLE regress_rol_rol1 WITH UNENCRYPTED PASSWORD 'abc'; +-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value +ALTER ROLE regress_rol_rol1 WITH ENCRYPTED PASSWORD; +ERROR: syntax error at or near ";" +LINE 1: ALTER ROLE regress_rol_rol1 WITH ENCRYPTED PASSWORD; + ^ +ALTER ROLE regress_rol_rol1 WITH UNENCRYPTED PASSWORD; +ERROR: syntax error at or near ";" +LINE 1: ALTER ROLE regress_rol_rol1 WITH UNENCRYPTED PASSWORD; + ^ +-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED +ALTER ROLE regress_rol_rol1 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc'; +ERROR: syntax error at or near "UNENCRYPTED" +LINE 1: ALTER ROLE regress_rol_rol1 WITH ENCRYPTED UNENCRYPTED PASSW... + ^ +-- Should fail. ALTER ROLE with both INHERIT / NOINHERIT +ALTER ROLE regress_rol_rol1 WITH INHERIT NOINHERIT; +ERROR: conflicting or redundant options +-- Should fail. ALTER ROLE with both CREATEDB / NOCREATEDB +ALTER ROLE regress_rol_rol1 WITH CREATEDB NOCREATEDB; +ERROR: conflicting or redundant options +-- Should fail. ALTER ROLE with both LOGIN / NOLOGIN +ALTER ROLE regress_rol_rol1 WITH LOGIN NOLOGIN; +ERROR: conflicting or redundant options +-- Should fail. ALTER ROLE with both CREATEROLE / NOCREATEROLE +ALTER ROLE regress_rol_rol1 WITH CREATEROLE NOCREATEROLE; +ERROR: conflicting or redundant options +-- Should fail. ALTER ROLE with both REPLICATION / NOREPLICATION +ALTER ROLE regress_rol_rol1 WITH REPLICATION NOREPLICATION; +ERROR: conflicting or redundant options +-- Should fail. ALTER ROLE with CONNECTION LIMIT 0 +ALTER ROLE regress_rol_rol1 WITH CONNECTION LIMIT 0; +-- Should fail. ALTER ROLE with VALID UNTIL without a value +ALTER ROLE regress_rol_rol1 VALID UNTIL; +ERROR: syntax error at or near ";" +LINE 1: ALTER ROLE regress_rol_rol1 VALID UNTIL; + ^ +-- Should fail. ALTER ROLE with invalid option +ALTER ROLE regress_rol_rol1 invalid_option; +ERROR: unrecognized role option "invalid_option" +LINE 1: ALTER ROLE regress_rol_rol1 invalid_option; + ^ +-- Should work. ALTER ROLE with valid values +ALTER ROLE regress_rol_rol1 WITH VALID UNTIL '9999/1/1' INHERIT LOGIN REPLICATION + CREATEROLE CREATEDB SUPERUSER ENCRYPTED PASSWORD 'abc' CONNECTION LIMIT 5; +-- Should work. ALTER ROLE with SET and valid values +ALTER ROLE regress_rol_rol1 SET SEED = 0.5 ; +-- Should work. ALTER ROLE with IN DATABASE with ROLE +ALTER ROLE regress_rol_rol1 IN DATABASE regression SET SEED = 0.5 ; +-- Should work. ALTER ROLE with IN DATABASE with ROLE ALL +BEGIN TRANSACTION; +ALTER ROLE ALL IN DATABASE regression SET SEED = 0.5 ; +ROLLBACK; +-- Should fail. ALTER ROLE with PASSWORD NULL +ALTER ROLE regress_rol_rol1 PASSWORD NULL; +-- Should fail. ALTER ROLE with IN DATABASE with ROLE ALL without SUPERUSER +BEGIN TRANSACTION; +CREATE ROLE regress_rol_rol31; +SET ROLE regress_rol_rol31; +ALTER ROLE ALL IN DATABASE postgres SET SEED = 0.5 ; +ERROR: must be owner of database postgres +DROP ROLE regress_rol_rol31; +ERROR: current transaction is aborted, commands ignored until end of transaction block +ROLLBACK; +-- Should fail. ALTER ROLE with ROLE ALL without SUPERUSER +CREATE ROLE regress_rol_rol32; +SET ROLE regress_rol_rol32; +ALTER ROLE ALL SET SEED = 0.5 ; +ERROR: must be superuser to alter settings globally +RESET ROLE; +DROP ROLE regress_rol_rol32; +-- Should fail. DROP ROLE for current user +CREATE ROLE regress_rol_rol33 CREATEROLE; +SET ROLE regress_rol_rol33; +DROP ROLE regress_rol_rol33; +ERROR: current user cannot be dropped +RESET ROLE; +DROP ROLE regress_rol_rol33; +-- Should fail. DROP ROLE for session_user +CREATE ROLE regress_rol_rol34 SUPERUSER; +CREATE ROLE regress_rol_rol34a CREATEROLE; +SET SESSION AUTHORIZATION regress_rol_rol34; +SET ROLE regress_rol_rol34a; +DROP ROLE regress_rol_rol34; +ERROR: session user cannot be dropped +SET SESSION AUTHORIZATION DEFAULT; +DROP ROLE regress_rol_rol34; +DROP ROLE regress_rol_rol34a; +-- Should work. ALTER ROLE RENAME +ALTER ROLE regress_rol_rol1 RENAME TO regress_rol_rol1a; +ALTER ROLE regress_rol_rol1a RENAME TO regress_rol_rol1; -- Roll back, for future tests +-- Should fail. ALTER ROLE RENAME for non-existent role +ALTER ROLE role_37b RENAME TO regress_rol_rol37b; +ERROR: role "role_37b" does not exist +-- Should fail. ALTER ROLE RENAME for session_user not allowed +CREATE ROLE regress_rol_rol38; +SET SESSION AUTHORIZATION regress_rol_rol38; +ALTER ROLE regress_rol_rol38 RENAME TO regress_rol_rol38a; +ERROR: session user cannot be renamed +SET SESSION AUTHORIZATION DEFAULT; +DROP ROLE regress_rol_rol38; +-- Should fail. ALTER ROLE RENAME for current_user not allowed +CREATE ROLE regress_rol_rol39 CREATEROLE; +SET ROLE regress_rol_rol39; +ALTER ROLE regress_rol_rol39 RENAME TO regress_rol_rol39a; +ERROR: current user cannot be renamed +RESET ROLE; +DROP ROLE regress_rol_rol39; +-- Should fail. ALTER ROLE RENAME where target role already exists / reserved +CREATE ROLE regress_rol_rol40; +ALTER ROLE regress_rol_rol40 RENAME TO regress_rol_rol1; +ERROR: role "regress_rol_rol1" already exists +ALTER ROLE regress_rol_rol40 RENAME TO public; +ERROR: role name "public" is reserved +ALTER ROLE regress_rol_rol40 RENAME TO none; +ERROR: role name "none" is reserved +DROP ROLE regress_rol_rol40; +-- Should fail. ALTER ROLE RENAME for superuser requires SUPERUSER permission +CREATE ROLE regress_rol_rol42 SUPERUSER; +CREATE ROLE regress_rol_rol43; +SET ROLE regress_rol_rol43; +ALTER ROLE regress_rol_rol42 RENAME TO regress_rol_rol42a; +ERROR: must be superuser to rename superusers +RESET ROLE; +DROP ROLE regress_rol_rol43; +DROP ROLE regress_rol_rol42; +-- Should fail. ALTER ROLE RENAME for non-superuser needs CREATEROLE permission +CREATE ROLE regress_rol_rol44; +CREATE ROLE regress_rol_rol45; +SET ROLE regress_rol_rol45; +ALTER ROLE regress_rol_rol44 RENAME TO regress_rol_rol44a; +ERROR: permission denied to rename role +RESET ROLE; +DROP ROLE regress_rol_rol45; +DROP ROLE regress_rol_rol44; +-- Should work. ALTER ROLE RENAME WITH ENCRYPTED PASSWORD should clear password +CREATE ROLE regress_rol_rol46 WITH ENCRYPTED PASSWORD 'abc'; +ALTER ROLE regress_rol_rol46 RENAME TO regress_rol_rol46a; +NOTICE: MD5 password cleared because of role rename +DROP ROLE regress_rol_rol46a; +-- Should fail. GRANT / REVOKE on SUPERUSER requires SUPERUSER permission +CREATE ROLE regress_rol_rol47 SUPERUSER; +CREATE ROLE regress_rol_rol47b; +CREATE ROLE regress_rol_rol48; +SET ROLE regress_rol_rol48; +GRANT regress_rol_rol47 TO regress_rol_rol47b; +ERROR: must be superuser to alter superusers +RESET ROLE; +ALTER ROLE regress_rol_rol48 CREATEROLE; +SET ROLE regress_rol_rol48; +GRANT regress_rol_rol47 TO regress_rol_rol47b; +ERROR: must be superuser to alter superusers +RESET ROLE; +ALTER ROLE regress_rol_rol48 SUPERUSER; +SET ROLE regress_rol_rol48; +GRANT regress_rol_rol47 TO regress_rol_rol47b; +REVOKE regress_rol_rol47 FROM regress_rol_rol47b; +RESET ROLE; +DROP ROLE regress_rol_rol47; +DROP ROLE regress_rol_rol47b; +DROP ROLE regress_rol_rol48; +-- Should fail. GRANT / REVOKE on another ROLE requires CREATEROLE / ADMIN +CREATE ROLE regress_rol_rol49; +CREATE ROLE regress_rol_rol50; +CREATE ROLE regress_rol_rol51; +SET ROLE regress_rol_rol49; +GRANT regress_rol_rol50 TO regress_rol_rol51; +ERROR: must have admin option on role "regress_rol_rol50" +RESET ROLE; +ALTER ROLE regress_rol_rol49 CREATEROLE; +SET ROLE regress_rol_rol49; +GRANT regress_rol_rol50 TO regress_rol_rol51; +REVOKE regress_rol_rol50 FROM regress_rol_rol51; +RESET ROLE; +GRANT regress_rol_rol49 to regress_rol_rol50 WITH ADMIN OPTION; +SET ROLE regress_rol_rol49; +GRANT regress_rol_rol50 TO regress_rol_rol51; +REVOKE regress_rol_rol50 FROM regress_rol_rol51; +RESET ROLE; +DROP ROLE regress_rol_rol51; +DROP ROLE regress_rol_rol50; +DROP ROLE regress_rol_rol49; +-- Should fail. GRANT a ROLE should avoid becoming its own member / create loops +CREATE ROLE regress_rol_rol52; +CREATE ROLE regress_rol_rol53; +GRANT regress_rol_rol52 TO regress_rol_rol52; +ERROR: role "regress_rol_rol52" is a member of role "regress_rol_rol52" +GRANT regress_rol_rol52 TO regress_rol_rol53; +GRANT regress_rol_rol53 TO regress_rol_rol52; +ERROR: role "regress_rol_rol53" is a member of role "regress_rol_rol52" +DROP ROLE regress_rol_rol52; +DROP ROLE regress_rol_rol53; +-- Should fail. REVOKE without membership should throw error +CREATE ROLE regress_rol_rol61; +CREATE ROLE regress_rol_rol62; +REVOKE regress_rol_rol62 FROM regress_rol_rol61; +WARNING: role "regress_rol_rol61" is not a member of role "regress_rol_rol62" +DROP ROLE regress_rol_rol62; +DROP ROLE regress_rol_rol61; +-- Should work. REVOKE a GRANT WITH ADMIN OPTION +CREATE ROLE regress_rol_rol63; +CREATE ROLE regress_rol_rol64; +GRANT regress_rol_rol64 TO regress_rol_rol63 WITH ADMIN OPTION; +REVOKE ADMIN OPTION FOR regress_rol_rol64 FROM regress_rol_rol63; +DROP ROLE regress_rol_rol63; +DROP ROLE regress_rol_rol64; +-- Should fail. Can't ALTER ROLE VALID UNTIL with an invalid date +CREATE ROLE regress_rol_rol65; +ALTER ROLE regress_rol_rol65 VALID UNTIL '5874898/1/1'; -- Try invalid year +ERROR: timestamp out of range: "5874898/1/1" +ALTER ROLE regress_rol_rol65 VALID UNTIL 'invalid date'; -- Try non numeric date +ERROR: invalid input syntax for type timestamp with time zone: "invalid date" +ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/13/1';-- Try invalid month +ERROR: date/time field value out of range: "2030/13/1" +HINT: Perhaps you need a different "datestyle" setting. +ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/1/32';-- Try invalid day +ERROR: date/time field value out of range: "2030/1/32" +HINT: Perhaps you need a different "datestyle" setting. +ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/2/30';-- Try invalid day for feb +ERROR: date/time field value out of range: "2030/2/30" +DROP ROLE regress_rol_rol65; +-- Finally drop the universally used ROLE +DROP ROLE regress_rol_rol1; diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule index 3e6b306..dafeb41 100644 --- a/src/test/regress/parallel_schedule +++ b/src/test/regress/parallel_schedule @@ -83,7 +83,7 @@ test: select_into select_distinct select_distinct_on select_implicit select_havi # ---------- # Another group of parallel tests # ---------- -test: privileges security_label collate matview +test: privileges security_label collate matview role # ---------- # Another group of parallel tests diff --git a/src/test/regress/serial_schedule b/src/test/regress/serial_schedule index 3ad289f..8c5402a 100644 --- a/src/test/regress/serial_schedule +++ b/src/test/regress/serial_schedule @@ -96,6 +96,7 @@ test: privileges test: security_label test: collate test: matview +test: role test: alter_generic test: misc test: psql diff --git a/src/test/regress/sql/role.sql b/src/test/regress/sql/role.sql new file mode 100644 index 0000000..8c34da4 --- /dev/null +++ b/src/test/regress/sql/role.sql @@ -0,0 +1,314 @@ +-- +-- USER (ROLE) +-- Regression tests to check for ROLE related operations +-- + +-- Should work. SET configuration during ALTER ROLE +-- This role is used at multiple places and so DROPped at the end +CREATE ROLE regress_rol_rol1; +ALTER ROLE regress_rol_rol1 SET SEED=0.5; + +-- Should fail. Can't ALTER ROLE if it does not exist +ALTER ROLE regress_rol_rol1b SUPERUSER; +ALTER ROLE regress_rol_rol1b SET SEED=0.5; + +-- Should fail. Can't CREATE SUPERUSER if not self a SUPERUSER +CREATE ROLE regress_rol_rol2; +SET ROLE regress_rol_rol2; +CREATE ROLE regress_rol_rol3 SUPERUSER; +RESET ROLE; +DROP ROLE regress_rol_rol2; + +-- Should fail. Can't ALTER SUPERUSER if not self a SUPERUSER +CREATE ROLE regress_rol_rol2b; +CREATE ROLE regress_rol_rol3b; +SET ROLE regress_rol_rol2b; +ALTER ROLE regress_rol_rol3b SUPERUSER; +RESET ROLE; +DROP ROLE regress_rol_rol3b; +DROP ROLE regress_rol_rol2b; + +-- Should fail. Can't ALTER ROLE into a SUPERUSER if not self a SUPERUSER +CREATE ROLE regress_rol_rol4; +CREATE ROLE regress_rol_rol5; +SET ROLE regress_rol_rol4; +ALTER ROLE regress_rol_rol5 SUPERUSER; +RESET ROLE; +DROP ROLE regress_rol_rol5; +DROP ROLE regress_rol_rol4; + +-- Should fail. Can't ALTER ROLE on existing SUPERUSER if not self a SUPERUSER +CREATE ROLE regress_rol_rol6 SUPERUSER; +CREATE ROLE regress_rol_rol7; +SET ROLE regress_rol_rol7; +ALTER ROLE regress_rol_rol6 NOSUPERUSER; +ALTER ROLE regress_rol_rol6 SET SEED=0.5; +RESET ROLE; +DROP ROLE regress_rol_rol7; +DROP ROLE regress_rol_rol6; + +-- Should fail. Can't ALTER another ROLE without CREATE ROLE privilege +CREATE ROLE regress_rol_rol7; +CREATE ROLE regress_rol_rol8; +SET ROLE regress_rol_rol8; +ALTER ROLE regress_rol_rol7 SET SEED = 0.5; +ALTER ROLE regress_rol_rol7 VALID UNTIL '9999/1/1'; +RESET ROLE; +DROP ROLE regress_rol_rol8; +DROP ROLE regress_rol_rol7; + +-- Should work. Do an ALTER ROLE SET on a database variable +CREATE SCHEMA schema_ro9; +SET ROLE regress_rol_rol1; +ALTER ROLE regress_rol_rol1 SET search_path TO schema_ro9, public; +RESET ROLE; +DROP SCHEMA schema_ro9; + +-- Should fail. ALTER ROLE on valid DB entities but non-existent roles +CREATE SCHEMA schema_ro11; +ALTER ROLE schema_ro11 SET search_path TO schema_ro11, public; +DROP SCHEMA schema_ro11; + +-- Should fail. Can't ALTER ROLE on REPLICATION user if not self a SUPERUSER +CREATE ROLE regress_rol_rol12; +CREATE ROLE regress_rol_rol13 WITH REPLICATION; +SET ROLE regress_rol_rol12; +ALTER ROLE regress_rol_rol13 SET SEED = 0.5; +ALTER ROLE regress_rol_rol13 NOREPLICATION; +DROP ROLE regress_rol_rol13; +RESET ROLE; +DROP ROLE regress_rol_rol13; +DROP ROLE regress_rol_rol12; + +-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD +ALTER ROLE regress_rol_rol1 WITH ENCRYPTED PASSWORD 'abc'; +ALTER ROLE regress_rol_rol1 WITH UNENCRYPTED PASSWORD 'abc'; + +-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value +ALTER ROLE regress_rol_rol1 WITH ENCRYPTED PASSWORD; +ALTER ROLE regress_rol_rol1 WITH UNENCRYPTED PASSWORD; + +-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED +ALTER ROLE regress_rol_rol1 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc'; + +-- Should fail. ALTER ROLE with both INHERIT / NOINHERIT +ALTER ROLE regress_rol_rol1 WITH INHERIT NOINHERIT; + +-- Should fail. ALTER ROLE with both CREATEDB / NOCREATEDB +ALTER ROLE regress_rol_rol1 WITH CREATEDB NOCREATEDB; + +-- Should fail. ALTER ROLE with both LOGIN / NOLOGIN +ALTER ROLE regress_rol_rol1 WITH LOGIN NOLOGIN; + +-- Should fail. ALTER ROLE with both CREATEROLE / NOCREATEROLE +ALTER ROLE regress_rol_rol1 WITH CREATEROLE NOCREATEROLE; + +-- Should fail. ALTER ROLE with both REPLICATION / NOREPLICATION +ALTER ROLE regress_rol_rol1 WITH REPLICATION NOREPLICATION; + +-- Should fail. ALTER ROLE with CONNECTION LIMIT 0 +ALTER ROLE regress_rol_rol1 WITH CONNECTION LIMIT 0; + +-- Should fail. ALTER ROLE with VALID UNTIL without a value +ALTER ROLE regress_rol_rol1 VALID UNTIL; + +-- Should fail. ALTER ROLE with invalid option +ALTER ROLE regress_rol_rol1 invalid_option; + +-- Should work. ALTER ROLE with valid values +ALTER ROLE regress_rol_rol1 WITH VALID UNTIL '9999/1/1' INHERIT LOGIN REPLICATION + CREATEROLE CREATEDB SUPERUSER ENCRYPTED PASSWORD 'abc' CONNECTION LIMIT 5; + +-- Should work. ALTER ROLE with SET and valid values +ALTER ROLE regress_rol_rol1 SET SEED = 0.5 ; + +-- Should work. ALTER ROLE with IN DATABASE with ROLE +ALTER ROLE regress_rol_rol1 IN DATABASE regression SET SEED = 0.5 ; + +-- Should work. ALTER ROLE with IN DATABASE with ROLE ALL +BEGIN TRANSACTION; +ALTER ROLE ALL IN DATABASE regression SET SEED = 0.5 ; +ROLLBACK; + +-- Should fail. ALTER ROLE with PASSWORD NULL +ALTER ROLE regress_rol_rol1 PASSWORD NULL; + +-- Should fail. ALTER ROLE with IN DATABASE with ROLE ALL without SUPERUSER +BEGIN TRANSACTION; +CREATE ROLE regress_rol_rol31; +SET ROLE regress_rol_rol31; +ALTER ROLE ALL IN DATABASE postgres SET SEED = 0.5 ; +DROP ROLE regress_rol_rol31; +ROLLBACK; + +-- Should fail. ALTER ROLE with ROLE ALL without SUPERUSER +CREATE ROLE regress_rol_rol32; +SET ROLE regress_rol_rol32; +ALTER ROLE ALL SET SEED = 0.5 ; +RESET ROLE; +DROP ROLE regress_rol_rol32; + +-- Should fail. DROP ROLE for current user +CREATE ROLE regress_rol_rol33 CREATEROLE; +SET ROLE regress_rol_rol33; +DROP ROLE regress_rol_rol33; +RESET ROLE; +DROP ROLE regress_rol_rol33; + +-- Should fail. DROP ROLE for session_user +CREATE ROLE regress_rol_rol34 SUPERUSER; +CREATE ROLE regress_rol_rol34a CREATEROLE; +SET SESSION AUTHORIZATION regress_rol_rol34; +SET ROLE regress_rol_rol34a; +DROP ROLE regress_rol_rol34; +SET SESSION AUTHORIZATION DEFAULT; +DROP ROLE regress_rol_rol34; +DROP ROLE regress_rol_rol34a; + +-- Should work. ALTER ROLE RENAME +ALTER ROLE regress_rol_rol1 RENAME TO regress_rol_rol1a; +ALTER ROLE regress_rol_rol1a RENAME TO regress_rol_rol1; -- Roll back, for future tests + +-- Should fail. ALTER ROLE RENAME for non-existent role +ALTER ROLE role_37b RENAME TO regress_rol_rol37b; + +-- Should fail. ALTER ROLE RENAME for session_user not allowed +CREATE ROLE regress_rol_rol38; +SET SESSION AUTHORIZATION regress_rol_rol38; +ALTER ROLE regress_rol_rol38 RENAME TO regress_rol_rol38a; +SET SESSION AUTHORIZATION DEFAULT; +DROP ROLE regress_rol_rol38; + +-- Should fail. ALTER ROLE RENAME for current_user not allowed +CREATE ROLE regress_rol_rol39 CREATEROLE; +SET ROLE regress_rol_rol39; +ALTER ROLE regress_rol_rol39 RENAME TO regress_rol_rol39a; +RESET ROLE; +DROP ROLE regress_rol_rol39; + +-- Should fail. ALTER ROLE RENAME where target role already exists / reserved +CREATE ROLE regress_rol_rol40; +ALTER ROLE regress_rol_rol40 RENAME TO regress_rol_rol1; +ALTER ROLE regress_rol_rol40 RENAME TO public; +ALTER ROLE regress_rol_rol40 RENAME TO none; +DROP ROLE regress_rol_rol40; + +-- Should fail. ALTER ROLE RENAME for superuser requires SUPERUSER permission +CREATE ROLE regress_rol_rol42 SUPERUSER; +CREATE ROLE regress_rol_rol43; +SET ROLE regress_rol_rol43; +ALTER ROLE regress_rol_rol42 RENAME TO regress_rol_rol42a; +RESET ROLE; +DROP ROLE regress_rol_rol43; +DROP ROLE regress_rol_rol42; + +-- Should fail. ALTER ROLE RENAME for non-superuser needs CREATEROLE permission +CREATE ROLE regress_rol_rol44; +CREATE ROLE regress_rol_rol45; +SET ROLE regress_rol_rol45; +ALTER ROLE regress_rol_rol44 RENAME TO regress_rol_rol44a; +RESET ROLE; +DROP ROLE regress_rol_rol45; +DROP ROLE regress_rol_rol44; + +-- Should work. ALTER ROLE RENAME WITH ENCRYPTED PASSWORD should clear password +CREATE ROLE regress_rol_rol46 WITH ENCRYPTED PASSWORD 'abc'; +ALTER ROLE regress_rol_rol46 RENAME TO regress_rol_rol46a; +DROP ROLE regress_rol_rol46a; + + +-- Should fail. GRANT / REVOKE on SUPERUSER requires SUPERUSER permission +CREATE ROLE regress_rol_rol47 SUPERUSER; +CREATE ROLE regress_rol_rol47b; +CREATE ROLE regress_rol_rol48; + +SET ROLE regress_rol_rol48; +GRANT regress_rol_rol47 TO regress_rol_rol47b; +RESET ROLE; + +ALTER ROLE regress_rol_rol48 CREATEROLE; + +SET ROLE regress_rol_rol48; +GRANT regress_rol_rol47 TO regress_rol_rol47b; +RESET ROLE; + +ALTER ROLE regress_rol_rol48 SUPERUSER; + +SET ROLE regress_rol_rol48; +GRANT regress_rol_rol47 TO regress_rol_rol47b; +REVOKE regress_rol_rol47 FROM regress_rol_rol47b; +RESET ROLE; + +DROP ROLE regress_rol_rol47; +DROP ROLE regress_rol_rol47b; +DROP ROLE regress_rol_rol48; + + + +-- Should fail. GRANT / REVOKE on another ROLE requires CREATEROLE / ADMIN +CREATE ROLE regress_rol_rol49; +CREATE ROLE regress_rol_rol50; +CREATE ROLE regress_rol_rol51; + +SET ROLE regress_rol_rol49; +GRANT regress_rol_rol50 TO regress_rol_rol51; +RESET ROLE; + +ALTER ROLE regress_rol_rol49 CREATEROLE; + +SET ROLE regress_rol_rol49; +GRANT regress_rol_rol50 TO regress_rol_rol51; +REVOKE regress_rol_rol50 FROM regress_rol_rol51; +RESET ROLE; + +GRANT regress_rol_rol49 to regress_rol_rol50 WITH ADMIN OPTION; + +SET ROLE regress_rol_rol49; +GRANT regress_rol_rol50 TO regress_rol_rol51; +REVOKE regress_rol_rol50 FROM regress_rol_rol51; +RESET ROLE; + +DROP ROLE regress_rol_rol51; +DROP ROLE regress_rol_rol50; +DROP ROLE regress_rol_rol49; + + + +-- Should fail. GRANT a ROLE should avoid becoming its own member / create loops +CREATE ROLE regress_rol_rol52; +CREATE ROLE regress_rol_rol53; +GRANT regress_rol_rol52 TO regress_rol_rol52; +GRANT regress_rol_rol52 TO regress_rol_rol53; +GRANT regress_rol_rol53 TO regress_rol_rol52; +DROP ROLE regress_rol_rol52; +DROP ROLE regress_rol_rol53; + + +-- Should fail. REVOKE without membership should throw error +CREATE ROLE regress_rol_rol61; +CREATE ROLE regress_rol_rol62; +REVOKE regress_rol_rol62 FROM regress_rol_rol61; +DROP ROLE regress_rol_rol62; +DROP ROLE regress_rol_rol61; + + +-- Should work. REVOKE a GRANT WITH ADMIN OPTION +CREATE ROLE regress_rol_rol63; +CREATE ROLE regress_rol_rol64; +GRANT regress_rol_rol64 TO regress_rol_rol63 WITH ADMIN OPTION; +REVOKE ADMIN OPTION FOR regress_rol_rol64 FROM regress_rol_rol63; +DROP ROLE regress_rol_rol63; +DROP ROLE regress_rol_rol64; + +-- Should fail. Can't ALTER ROLE VALID UNTIL with an invalid date +CREATE ROLE regress_rol_rol65; +ALTER ROLE regress_rol_rol65 VALID UNTIL '5874898/1/1'; -- Try invalid year +ALTER ROLE regress_rol_rol65 VALID UNTIL 'invalid date'; -- Try non numeric date +ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/13/1';-- Try invalid month +ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/1/32';-- Try invalid day +ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/2/30';-- Try invalid day for feb +DROP ROLE regress_rol_rol65; + +-- Finally drop the universally used ROLE +DROP ROLE regress_rol_rol1; +