Add regression tests for ROLE (USER)
Started by Robins Tharakanalmost 13 years ago13 messages
Hi,
Please find attached a patch to take 'make check' code-coverage of ROLE
(USER) from 59% to 91%.
Any feedback is more than welcome.
--
Robins Tharakan
Attachments:
regress_user.patchapplication/octet-stream; name=regress_user.patchDownload
From 7debe5897436a84522ad2595ec7e553de3f114d7 Mon Sep 17 00:00:00 2001
From: Robins Tharakan <robins@pobox.com>
Date: Mon, 18 Mar 2013 13:24:52 +0530
Subject: [PATCH] Add regression tests for ROLE (USER)
---
src/test/regress/expected/user.out | 331 ++++++++++++++++++++++++++++++++++
src/test/regress/parallel_schedule | 2 +-
src/test/regress/sql/user.sql | 342 ++++++++++++++++++++++++++++++++++++
3 files changed, 674 insertions(+), 1 deletion(-)
create mode 100644 src/test/regress/expected/user.out
create mode 100644 src/test/regress/sql/user.sql
diff --git a/src/test/regress/expected/user.out b/src/test/regress/expected/user.out
new file mode 100644
index 0000000..bd86204
--- /dev/null
+++ b/src/test/regress/expected/user.out
@@ -0,0 +1,331 @@
+--
+-- USER (ROLE)
+-- Regression tests to check for ROLE related operations
+--
+-- Should work. SET configuration during ALTER ROLE
+CREATE ROLE role_ro1;
+ALTER ROLE role_ro1 SET SEED=0.5;
+DROP ROLE role_ro1;
+-- Should fail. Can't ALTER ROLE if it does not exist
+ALTER ROLE asdf SUPERUSER;
+ERROR: role "asdf" does not exist
+ALTER ROLE asdf SET SEED=0.5;
+ERROR: role "asdf" does not exist
+-- Should fail. Can't CREATE SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro2;
+SET ROLE role_ro2;
+CREATE ROLE role_ro3 SUPERUSER;
+ERROR: must be superuser to create superusers
+RESET ROLE;
+DROP ROLE role_ro2;
+-- Should fail. Can't ALTER SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro2;
+CREATE ROLE role_ro3;
+SET ROLE role_ro2;
+ALTER ROLE role_ro3 SUPERUSER;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+DROP ROLE role_ro3;
+DROP ROLE role_ro2;
+-- Should fail. Can't ALTER ROLE into a SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro4;
+CREATE ROLE role_ro5;
+SET ROLE role_ro4;
+ALTER ROLE role_ro5 SUPERUSER;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+DROP ROLE role_ro5;
+DROP ROLE role_ro4;
+-- Should fail. Can't ALTER ROLE on existing SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro6 SUPERUSER;
+CREATE ROLE role_ro7;
+SET ROLE role_ro7;
+ALTER ROLE role_ro6 NOSUPERUSER;
+ERROR: must be superuser to alter superusers
+ALTER ROLE role_ro6 SET SEED=0.5;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+DROP ROLE role_ro7;
+DROP ROLE role_ro6;
+-- Should fail. Can't ALTER another ROLE without CREATE ROLE privilege
+CREATE ROLE role_ro7;
+CREATE ROLE role_ro8;
+SET ROLE role_ro8;
+ALTER ROLE role_ro7 SET SEED = 0.5;
+ERROR: permission denied
+ALTER ROLE role_ro7 VALID UNTIL '2030/1/1';
+ERROR: permission denied
+RESET ROLE;
+DROP ROLE role_ro8;
+DROP ROLE role_ro7;
+-- Should work. Do an ALTER ROLE SET on a database variable
+CREATE ROLE role_ro9;
+CREATE SCHEMA schema_ro9;
+SET ROLE role_ro9;
+ALTER ROLE role_ro9 SET search_path TO schema_ro9, public;
+RESET ROLE;
+DROP SCHEMA schema_ro9;
+DROP ROLE role_ro9;
+-- Should fail. ALTER ROLE on valid DB entities but non-existent roles
+CREATE SCHEMA schema_ro11;
+ALTER ROLE schema_ro11 SET search_path TO schema_ro11, public;
+ERROR: role "schema_ro11" does not exist
+DROP SCHEMA schema_ro11;
+-- Should fail. Can't ALTER ROLE on REPLICATION user if not self a SUPERUSER
+CREATE ROLE role_ro12;
+CREATE ROLE role_ro13 WITH REPLICATION;
+SET ROLE role_ro12;
+ALTER ROLE role_ro13 SET SEED = 0.5;
+ERROR: permission denied
+ALTER ROLE role_ro13 NOREPLICATION;
+ERROR: must be superuser to alter replication users
+DROP ROLE role_ro13;
+ERROR: permission denied to drop role
+RESET ROLE;
+DROP ROLE role_ro13;
+DROP ROLE role_ro12;
+-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD
+CREATE ROLE role_ro14;
+ALTER ROLE role_ro14 WITH ENCRYPTED PASSWORD 'abc';
+DROP ROLE role_ro14;
+CREATE ROLE role_ro15;
+ALTER ROLE role_ro15 WITH UNENCRYPTED PASSWORD 'abc';
+DROP ROLE role_ro15;
+-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value
+CREATE ROLE role_ro16;
+ALTER ROLE role_ro16 WITH ENCRYPTED PASSWORD;
+ERROR: syntax error at or near ";"
+LINE 1: ALTER ROLE role_ro16 WITH ENCRYPTED PASSWORD;
+ ^
+DROP ROLE role_ro16;
+CREATE ROLE role_ro17;
+ALTER ROLE role_ro17 WITH UNENCRYPTED PASSWORD;
+ERROR: syntax error at or near ";"
+LINE 1: ALTER ROLE role_ro17 WITH UNENCRYPTED PASSWORD;
+ ^
+DROP ROLE role_ro17;
+-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED
+CREATE ROLE role_ro18;
+ALTER ROLE role_ro18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc';
+ERROR: syntax error at or near "UNENCRYPTED"
+LINE 1: ALTER ROLE role_ro18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'ab...
+ ^
+DROP ROLE role_ro18;
+-- Should fail. ALTER ROLE with both INHERIT / NOINHERIT
+CREATE ROLE role_ro19;
+ALTER ROLE role_ro19 WITH INHERIT NOINHERIT;
+ERROR: conflicting or redundant options
+DROP ROLE role_ro19;
+-- Should fail. ALTER ROLE with both CREATEDB / NOCREATEDB
+CREATE ROLE role_ro20;
+ALTER ROLE role_ro20 WITH CREATEDB NOCREATEDB;
+ERROR: conflicting or redundant options
+DROP ROLE role_ro20;
+-- Should fail. ALTER ROLE with both LOGIN / NOLOGIN
+CREATE ROLE role_ro21;
+ALTER ROLE role_ro21 WITH LOGIN NOLOGIN;
+ERROR: conflicting or redundant options
+DROP ROLE role_ro21;
+-- Should fail. ALTER ROLE with both CREATEROLE / NOCREATEROLE
+CREATE ROLE role_ro22;
+ALTER ROLE role_ro22 WITH CREATEROLE NOCREATEROLE;
+ERROR: conflicting or redundant options
+DROP ROLE role_ro22;
+-- Should fail. ALTER ROLE with both REPLICATION / NOREPLICATION
+CREATE ROLE role_ro23;
+ALTER ROLE role_ro23 WITH REPLICATION NOREPLICATION;
+ERROR: conflicting or redundant options
+DROP ROLE role_ro23;
+-- Should fail. ALTER ROLE with CONNECTION LIMIT 0
+CREATE ROLE role_ro24;
+ALTER ROLE role_ro24 WITH CONNECTION LIMIT 0;
+DROP ROLE role_ro24;
+-- Should fail. ALTER ROLE with VALID UNTIL without a value
+CREATE ROLE role_ro25;
+ALTER ROLE role_ro25 VALID UNTIL;
+ERROR: syntax error at or near ";"
+LINE 1: ALTER ROLE role_ro25 VALID UNTIL;
+ ^
+DROP ROLE role_ro25;
+-- Should fail. ALTER ROLE with invalid option
+CREATE ROLE role_ro26;
+ALTER ROLE role_ro26 ASDF;
+ERROR: unrecognized role option "asdf"
+LINE 1: ALTER ROLE role_ro26 ASDF;
+ ^
+DROP ROLE role_ro26;
+-- Should work. ALTER ROLE with valid values
+CREATE ROLE role_ro27;
+ALTER ROLE role_ro27 WITH VALID UNTIL '2030/1/1' INHERIT LOGIN REPLICATION
+ CREATEROLE CREATEDB SUPERUSER ENCRYPTED PASSWORD 'abc' CONNECTION LIMIT 5;
+DROP ROLE role_ro27;
+-- Should work. ALTER ROLE with SET and valid values
+CREATE ROLE role_ro28;
+ALTER ROLE role_ro28 SET SEED = 0.5 ;
+DROP ROLE role_ro28;
+-- Should work. ALTER ROLE with IN DATABASE with ROLE
+CREATE ROLE role_ro29;
+ALTER ROLE role_ro29 IN DATABASE regression SET SEED = 0.5 ;
+DROP ROLE role_ro29;
+-- Should work. ALTER ROLE with IN DATABASE with ROLE ALL
+BEGIN TRANSACTION;
+ALTER ROLE ALL IN DATABASE regression SET SEED = 0.5 ;
+ROLLBACK;
+-- Should fail. ALTER ROLE with PASSWORD NULL
+CREATE ROLE role_ro30;
+ALTER ROLE role_ro30 PASSWORD NULL;
+DROP ROLE role_ro30;
+-- Should fail. ALTER ROLE with IN DATABASE with ROLE ALL without SUPERUSER
+BEGIN TRANSACTION;
+CREATE ROLE role_ro31;
+SET ROLE role_ro31;
+ALTER ROLE ALL IN DATABASE postgres SET SEED = 0.5 ;
+ERROR: must be owner of database postgres
+DROP ROLE role_ro31;
+ERROR: current transaction is aborted, commands ignored until end of transaction block
+ROLLBACK;
+-- Should fail. ALTER ROLE with ROLE ALL without SUPERUSER
+CREATE ROLE role_ro32;
+SET ROLE role_ro32;
+ALTER ROLE ALL SET SEED = 0.5 ;
+ERROR: must be superuser to alter settings globally
+RESET ROLE;
+DROP ROLE role_ro32;
+-- Should fail. DROP ROLE for current user
+CREATE ROLE role_ro33 CREATEROLE;
+SET ROLE role_ro33;
+DROP ROLE role_ro33;
+ERROR: current user cannot be dropped
+RESET ROLE;
+DROP ROLE role_ro33;
+-- Should fail. DROP ROLE for session_user
+CREATE ROLE role_ro34 SUPERUSER;
+CREATE ROLE role_ro34a CREATEROLE;
+SET SESSION AUTHORIZATION role_ro34;
+SET ROLE role_ro34a;
+DROP ROLE role_ro34;
+ERROR: session user cannot be dropped
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE role_ro34;
+DROP ROLE role_ro34a;
+-- Should work. ALTER ROLE RENAME
+CREATE ROLE role_ro37;
+ALTER ROLE role_ro37 RENAME TO role_ro37a;
+DROP ROLE role_ro37a;
+-- Should fail. ALTER ROLE RENAME for non-existent role
+ALTER ROLE asdf RENAME TO role_ro37b;
+ERROR: role "asdf" does not exist
+-- Should fail. ALTER ROLE RENAME for session_user not allowed
+CREATE ROLE role_ro38;
+SET SESSION AUTHORIZATION role_ro38;
+ALTER ROLE role_ro38 RENAME TO role_ro38a;
+ERROR: session user cannot be renamed
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE role_ro38;
+-- Should fail. ALTER ROLE RENAME for current_user not allowed
+CREATE ROLE role_ro39 CREATEROLE;
+SET ROLE role_ro39;
+ALTER ROLE role_ro39 RENAME TO role_ro39a;
+ERROR: current user cannot be renamed
+RESET ROLE;
+DROP ROLE role_ro39;
+-- Should fail. ALTER ROLE RENAME where target role already exists / reserved
+CREATE ROLE role_ro40;
+CREATE ROLE role_ro41;
+ALTER ROLE role_ro40 RENAME TO role_ro41;
+ERROR: role "role_ro41" already exists
+ALTER ROLE role_ro40 RENAME TO public;
+ERROR: role name "public" is reserved
+ALTER ROLE role_ro40 RENAME TO none;
+ERROR: role name "none" is reserved
+DROP ROLE role_ro40;
+DROP ROLE role_ro41;
+-- Should fail. ALTER ROLE RENAME for superuser requires SUPERUSER permission
+CREATE ROLE role_ro42 SUPERUSER;
+CREATE ROLE role_ro43;
+SET ROLE role_ro43;
+ALTER ROLE role_ro42 RENAME TO role_ro42a;
+ERROR: must be superuser to rename superusers
+RESET ROLE;
+DROP ROLE role_ro43;
+DROP ROLE role_ro42;
+-- Should fail. ALTER ROLE RENAME for non-superuser needs CREATEROLE permission
+CREATE ROLE role_ro44;
+CREATE ROLE role_ro45;
+SET ROLE role_ro45;
+ALTER ROLE role_ro44 RENAME TO role_ro44a;
+ERROR: permission denied to rename role
+RESET ROLE;
+DROP ROLE role_ro45;
+DROP ROLE role_ro44;
+-- Should work. ALTER ROLE RENAME WITH ENCRYPTED PASSWORD should clear password
+CREATE ROLE role_ro46 WITH ENCRYPTED PASSWORD 'abc';
+ALTER ROLE role_ro46 RENAME TO role_ro46a;
+NOTICE: MD5 password cleared because of role rename
+DROP ROLE role_ro46a;
+-- Should fail. GRANT / REVOKE on SUPERUSER requires SUPERUSER permission
+CREATE ROLE role_ro47 SUPERUSER;
+CREATE ROLE role_ro47b;
+CREATE ROLE role_ro48;
+SET ROLE role_ro48;
+GRANT role_ro47 TO role_ro47b;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+ALTER ROLE role_ro48 CREATEROLE;
+SET ROLE role_ro48;
+GRANT role_ro47 TO role_ro47b;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+ALTER ROLE role_ro48 SUPERUSER;
+SET ROLE role_ro48;
+GRANT role_ro47 TO role_ro47b;
+REVOKE role_ro47 FROM role_ro47b;
+RESET ROLE;
+DROP ROLE role_ro47;
+DROP ROLE role_ro47b;
+DROP ROLE role_ro48;
+-- Should fail. GRANT / REVOKE on another ROLE requires CREATEROLE / ADMIN
+CREATE ROLE role_ro49;
+CREATE ROLE role_ro50;
+CREATE ROLE role_ro51;
+SET ROLE role_ro49;
+GRANT role_ro50 TO role_ro51;
+ERROR: must have admin option on role "role_ro50"
+RESET ROLE;
+ALTER ROLE role_ro49 CREATEROLE;
+SET ROLE role_ro49;
+GRANT role_ro50 TO role_ro51;
+REVOKE role_ro50 FROM role_ro51;
+RESET ROLE;
+GRANT role_ro49 to role_ro50 WITH ADMIN OPTION;
+SET ROLE role_ro49;
+GRANT role_ro50 TO role_ro51;
+REVOKE role_ro50 FROM role_ro51;
+RESET ROLE;
+DROP ROLE role_ro51;
+DROP ROLE role_ro50;
+DROP ROLE role_ro49;
+-- Should fail. GRANT a ROLE should avoid becoming its own member or do loops
+CREATE ROLE role_ro52;
+CREATE ROLE role_ro53;
+GRANT role_ro52 TO role_ro52;
+ERROR: role "role_ro52" is a member of role "role_ro52"
+GRANT role_ro52 TO role_ro53;
+GRANT role_ro53 TO role_ro52;
+ERROR: role "role_ro53" is a member of role "role_ro52"
+DROP ROLE role_ro52;
+DROP ROLE role_ro53;
+-- Should fail. REVOKE without membership should throw error
+CREATE ROLE role_ro61;
+CREATE ROLE role_ro62;
+REVOKE role_ro62 FROM role_ro61;
+WARNING: role "role_ro61" is not a member of role "role_ro62"
+DROP ROLE role_ro62;
+DROP ROLE role_ro61;
+-- Should work. REVOKE a GRANT WITH ADMIN OPTION
+CREATE ROLE role_ro63;
+CREATE ROLE role_ro64;
+GRANT role_ro64 TO role_ro63 WITH ADMIN OPTION;
+REVOKE ADMIN OPTION FOR role_ro64 FROM role_ro63;
+DROP ROLE role_ro63;
+DROP ROLE role_ro64;
diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule
index 2af28b1..7360f8b 100644
--- a/src/test/regress/parallel_schedule
+++ b/src/test/regress/parallel_schedule
@@ -59,7 +59,7 @@ test: create_index create_view
# ----------
# Another group of parallel tests
# ----------
-test: create_aggregate create_function_3 create_cast constraints triggers inherit create_table_like typed_table vacuum drop_if_exists updatable_views
+test: create_aggregate create_function_3 create_cast constraints triggers inherit create_table_like typed_table vacuum drop_if_exists updatable_views user
# ----------
# sanity_check does a vacuum, affecting the sort order of SELECT *
diff --git a/src/test/regress/sql/user.sql b/src/test/regress/sql/user.sql
new file mode 100644
index 0000000..9ef8f9d
--- /dev/null
+++ b/src/test/regress/sql/user.sql
@@ -0,0 +1,342 @@
+--
+-- USER (ROLE)
+-- Regression tests to check for ROLE related operations
+--
+
+-- Should work. SET configuration during ALTER ROLE
+CREATE ROLE role_ro1;
+ALTER ROLE role_ro1 SET SEED=0.5;
+DROP ROLE role_ro1;
+
+-- Should fail. Can't ALTER ROLE if it does not exist
+ALTER ROLE asdf SUPERUSER;
+ALTER ROLE asdf SET SEED=0.5;
+
+-- Should fail. Can't CREATE SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro2;
+SET ROLE role_ro2;
+CREATE ROLE role_ro3 SUPERUSER;
+RESET ROLE;
+DROP ROLE role_ro2;
+
+-- Should fail. Can't ALTER SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro2;
+CREATE ROLE role_ro3;
+SET ROLE role_ro2;
+ALTER ROLE role_ro3 SUPERUSER;
+RESET ROLE;
+DROP ROLE role_ro3;
+DROP ROLE role_ro2;
+
+-- Should fail. Can't ALTER ROLE into a SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro4;
+CREATE ROLE role_ro5;
+SET ROLE role_ro4;
+ALTER ROLE role_ro5 SUPERUSER;
+RESET ROLE;
+DROP ROLE role_ro5;
+DROP ROLE role_ro4;
+
+-- Should fail. Can't ALTER ROLE on existing SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro6 SUPERUSER;
+CREATE ROLE role_ro7;
+SET ROLE role_ro7;
+ALTER ROLE role_ro6 NOSUPERUSER;
+ALTER ROLE role_ro6 SET SEED=0.5;
+RESET ROLE;
+DROP ROLE role_ro7;
+DROP ROLE role_ro6;
+
+-- Should fail. Can't ALTER another ROLE without CREATE ROLE privilege
+CREATE ROLE role_ro7;
+CREATE ROLE role_ro8;
+SET ROLE role_ro8;
+ALTER ROLE role_ro7 SET SEED = 0.5;
+ALTER ROLE role_ro7 VALID UNTIL '2030/1/1';
+RESET ROLE;
+DROP ROLE role_ro8;
+DROP ROLE role_ro7;
+
+-- Should work. Do an ALTER ROLE SET on a database variable
+CREATE ROLE role_ro9;
+CREATE SCHEMA schema_ro9;
+SET ROLE role_ro9;
+ALTER ROLE role_ro9 SET search_path TO schema_ro9, public;
+RESET ROLE;
+DROP SCHEMA schema_ro9;
+DROP ROLE role_ro9;
+
+-- Should fail. ALTER ROLE on valid DB entities but non-existent roles
+CREATE SCHEMA schema_ro11;
+ALTER ROLE schema_ro11 SET search_path TO schema_ro11, public;
+DROP SCHEMA schema_ro11;
+
+-- Should fail. Can't ALTER ROLE on REPLICATION user if not self a SUPERUSER
+CREATE ROLE role_ro12;
+CREATE ROLE role_ro13 WITH REPLICATION;
+SET ROLE role_ro12;
+ALTER ROLE role_ro13 SET SEED = 0.5;
+ALTER ROLE role_ro13 NOREPLICATION;
+DROP ROLE role_ro13;
+RESET ROLE;
+DROP ROLE role_ro13;
+DROP ROLE role_ro12;
+
+-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD
+CREATE ROLE role_ro14;
+ALTER ROLE role_ro14 WITH ENCRYPTED PASSWORD 'abc';
+DROP ROLE role_ro14;
+CREATE ROLE role_ro15;
+ALTER ROLE role_ro15 WITH UNENCRYPTED PASSWORD 'abc';
+DROP ROLE role_ro15;
+
+-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value
+CREATE ROLE role_ro16;
+ALTER ROLE role_ro16 WITH ENCRYPTED PASSWORD;
+DROP ROLE role_ro16;
+CREATE ROLE role_ro17;
+ALTER ROLE role_ro17 WITH UNENCRYPTED PASSWORD;
+DROP ROLE role_ro17;
+
+-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED
+CREATE ROLE role_ro18;
+ALTER ROLE role_ro18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc';
+DROP ROLE role_ro18;
+
+-- Should fail. ALTER ROLE with both INHERIT / NOINHERIT
+CREATE ROLE role_ro19;
+ALTER ROLE role_ro19 WITH INHERIT NOINHERIT;
+DROP ROLE role_ro19;
+
+-- Should fail. ALTER ROLE with both CREATEDB / NOCREATEDB
+CREATE ROLE role_ro20;
+ALTER ROLE role_ro20 WITH CREATEDB NOCREATEDB;
+DROP ROLE role_ro20;
+
+-- Should fail. ALTER ROLE with both LOGIN / NOLOGIN
+CREATE ROLE role_ro21;
+ALTER ROLE role_ro21 WITH LOGIN NOLOGIN;
+DROP ROLE role_ro21;
+
+-- Should fail. ALTER ROLE with both CREATEROLE / NOCREATEROLE
+CREATE ROLE role_ro22;
+ALTER ROLE role_ro22 WITH CREATEROLE NOCREATEROLE;
+DROP ROLE role_ro22;
+
+-- Should fail. ALTER ROLE with both REPLICATION / NOREPLICATION
+CREATE ROLE role_ro23;
+ALTER ROLE role_ro23 WITH REPLICATION NOREPLICATION;
+DROP ROLE role_ro23;
+
+-- Should fail. ALTER ROLE with CONNECTION LIMIT 0
+CREATE ROLE role_ro24;
+ALTER ROLE role_ro24 WITH CONNECTION LIMIT 0;
+DROP ROLE role_ro24;
+
+-- Should fail. ALTER ROLE with VALID UNTIL without a value
+CREATE ROLE role_ro25;
+ALTER ROLE role_ro25 VALID UNTIL;
+DROP ROLE role_ro25;
+
+-- Should fail. ALTER ROLE with invalid option
+CREATE ROLE role_ro26;
+ALTER ROLE role_ro26 ASDF;
+DROP ROLE role_ro26;
+
+-- Should work. ALTER ROLE with valid values
+CREATE ROLE role_ro27;
+ALTER ROLE role_ro27 WITH VALID UNTIL '2030/1/1' INHERIT LOGIN REPLICATION
+ CREATEROLE CREATEDB SUPERUSER ENCRYPTED PASSWORD 'abc' CONNECTION LIMIT 5;
+DROP ROLE role_ro27;
+
+-- Should work. ALTER ROLE with SET and valid values
+CREATE ROLE role_ro28;
+ALTER ROLE role_ro28 SET SEED = 0.5 ;
+DROP ROLE role_ro28;
+
+-- Should work. ALTER ROLE with IN DATABASE with ROLE
+CREATE ROLE role_ro29;
+ALTER ROLE role_ro29 IN DATABASE regression SET SEED = 0.5 ;
+DROP ROLE role_ro29;
+
+-- Should work. ALTER ROLE with IN DATABASE with ROLE ALL
+BEGIN TRANSACTION;
+ALTER ROLE ALL IN DATABASE regression SET SEED = 0.5 ;
+ROLLBACK;
+
+-- Should fail. ALTER ROLE with PASSWORD NULL
+CREATE ROLE role_ro30;
+ALTER ROLE role_ro30 PASSWORD NULL;
+DROP ROLE role_ro30;
+
+-- Should fail. ALTER ROLE with IN DATABASE with ROLE ALL without SUPERUSER
+BEGIN TRANSACTION;
+CREATE ROLE role_ro31;
+SET ROLE role_ro31;
+ALTER ROLE ALL IN DATABASE postgres SET SEED = 0.5 ;
+DROP ROLE role_ro31;
+ROLLBACK;
+
+-- Should fail. ALTER ROLE with ROLE ALL without SUPERUSER
+CREATE ROLE role_ro32;
+SET ROLE role_ro32;
+ALTER ROLE ALL SET SEED = 0.5 ;
+RESET ROLE;
+DROP ROLE role_ro32;
+
+-- Should fail. DROP ROLE for current user
+CREATE ROLE role_ro33 CREATEROLE;
+SET ROLE role_ro33;
+DROP ROLE role_ro33;
+RESET ROLE;
+DROP ROLE role_ro33;
+
+-- Should fail. DROP ROLE for session_user
+CREATE ROLE role_ro34 SUPERUSER;
+CREATE ROLE role_ro34a CREATEROLE;
+SET SESSION AUTHORIZATION role_ro34;
+SET ROLE role_ro34a;
+DROP ROLE role_ro34;
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE role_ro34;
+DROP ROLE role_ro34a;
+
+-- Should work. ALTER ROLE RENAME
+CREATE ROLE role_ro37;
+ALTER ROLE role_ro37 RENAME TO role_ro37a;
+DROP ROLE role_ro37a;
+
+-- Should fail. ALTER ROLE RENAME for non-existent role
+ALTER ROLE asdf RENAME TO role_ro37b;
+
+-- Should fail. ALTER ROLE RENAME for session_user not allowed
+CREATE ROLE role_ro38;
+SET SESSION AUTHORIZATION role_ro38;
+ALTER ROLE role_ro38 RENAME TO role_ro38a;
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE role_ro38;
+
+-- Should fail. ALTER ROLE RENAME for current_user not allowed
+CREATE ROLE role_ro39 CREATEROLE;
+SET ROLE role_ro39;
+ALTER ROLE role_ro39 RENAME TO role_ro39a;
+RESET ROLE;
+DROP ROLE role_ro39;
+
+-- Should fail. ALTER ROLE RENAME where target role already exists / reserved
+CREATE ROLE role_ro40;
+CREATE ROLE role_ro41;
+ALTER ROLE role_ro40 RENAME TO role_ro41;
+ALTER ROLE role_ro40 RENAME TO public;
+ALTER ROLE role_ro40 RENAME TO none;
+DROP ROLE role_ro40;
+DROP ROLE role_ro41;
+
+-- Should fail. ALTER ROLE RENAME for superuser requires SUPERUSER permission
+CREATE ROLE role_ro42 SUPERUSER;
+CREATE ROLE role_ro43;
+SET ROLE role_ro43;
+ALTER ROLE role_ro42 RENAME TO role_ro42a;
+RESET ROLE;
+DROP ROLE role_ro43;
+DROP ROLE role_ro42;
+
+-- Should fail. ALTER ROLE RENAME for non-superuser needs CREATEROLE permission
+CREATE ROLE role_ro44;
+CREATE ROLE role_ro45;
+SET ROLE role_ro45;
+ALTER ROLE role_ro44 RENAME TO role_ro44a;
+RESET ROLE;
+DROP ROLE role_ro45;
+DROP ROLE role_ro44;
+
+-- Should work. ALTER ROLE RENAME WITH ENCRYPTED PASSWORD should clear password
+CREATE ROLE role_ro46 WITH ENCRYPTED PASSWORD 'abc';
+ALTER ROLE role_ro46 RENAME TO role_ro46a;
+DROP ROLE role_ro46a;
+
+
+-- Should fail. GRANT / REVOKE on SUPERUSER requires SUPERUSER permission
+CREATE ROLE role_ro47 SUPERUSER;
+CREATE ROLE role_ro47b;
+CREATE ROLE role_ro48;
+
+SET ROLE role_ro48;
+GRANT role_ro47 TO role_ro47b;
+RESET ROLE;
+
+ALTER ROLE role_ro48 CREATEROLE;
+
+SET ROLE role_ro48;
+GRANT role_ro47 TO role_ro47b;
+RESET ROLE;
+
+ALTER ROLE role_ro48 SUPERUSER;
+
+SET ROLE role_ro48;
+GRANT role_ro47 TO role_ro47b;
+REVOKE role_ro47 FROM role_ro47b;
+RESET ROLE;
+
+DROP ROLE role_ro47;
+DROP ROLE role_ro47b;
+DROP ROLE role_ro48;
+
+
+
+-- Should fail. GRANT / REVOKE on another ROLE requires CREATEROLE / ADMIN
+CREATE ROLE role_ro49;
+CREATE ROLE role_ro50;
+CREATE ROLE role_ro51;
+
+SET ROLE role_ro49;
+GRANT role_ro50 TO role_ro51;
+RESET ROLE;
+
+ALTER ROLE role_ro49 CREATEROLE;
+
+SET ROLE role_ro49;
+GRANT role_ro50 TO role_ro51;
+REVOKE role_ro50 FROM role_ro51;
+RESET ROLE;
+
+GRANT role_ro49 to role_ro50 WITH ADMIN OPTION;
+
+SET ROLE role_ro49;
+GRANT role_ro50 TO role_ro51;
+REVOKE role_ro50 FROM role_ro51;
+RESET ROLE;
+
+DROP ROLE role_ro51;
+DROP ROLE role_ro50;
+DROP ROLE role_ro49;
+
+
+
+-- Should fail. GRANT a ROLE should avoid becoming its own member or do loops
+CREATE ROLE role_ro52;
+CREATE ROLE role_ro53;
+GRANT role_ro52 TO role_ro52;
+GRANT role_ro52 TO role_ro53;
+GRANT role_ro53 TO role_ro52;
+DROP ROLE role_ro52;
+DROP ROLE role_ro53;
+
+
+-- Should fail. REVOKE without membership should throw error
+CREATE ROLE role_ro61;
+CREATE ROLE role_ro62;
+REVOKE role_ro62 FROM role_ro61;
+DROP ROLE role_ro62;
+DROP ROLE role_ro61;
+
+
+-- Should work. REVOKE a GRANT WITH ADMIN OPTION
+CREATE ROLE role_ro63;
+CREATE ROLE role_ro64;
+GRANT role_ro64 TO role_ro63 WITH ADMIN OPTION;
+REVOKE ADMIN OPTION FOR role_ro64 FROM role_ro63;
+DROP ROLE role_ro63;
+DROP ROLE role_ro64;
+
+
--
1.7.10.4
Re: Add regression tests for ROLE (USER)
Hi,
Please find an updated patch as per comments on Commitfest (comments
replicated below for ease of understanding).
Feedback 1:
fc: role_ro2/3 used twice?
rt: Corrected in this update.
Feedback 2:
fc: I do not understand why "asdf" conveys anything about an expected
failure. Association of Scientists, Developers and Faculties? :-)
rt: ASDF is a pattern that I learnt in one of the tests (SEQUENCE?) that
pre-existed when I started working. Its a slang for arbit text that I just
reused thinking that it is normal practice here. Anyway, have corrected
that in this update.
Feedback 3:
fc: 2030/1/1 -> 2030-01-01? maybe use a larger date?
rt: 2030/1/1 date is not a failure point of the test. It needs to be a
valid date (but sufficiently distant that so that tests don't fail). I
tried setting this to 2200/1/1 and I get the same error message. Let me
know if this still needs to be a large date.
fb: VALID UNTIL '9999-12-31' works for me...
rt: I thought 20 years is a date sufficiently far ahead to ensure that this
test doesn't fail. Sure, have updated the test to use 9999/1/1. Also, have
added more tests at the end to ensure date-checks are also being validated
in ALTER ROLE VALID UNTIL.
Let me know if you need anything else changed in this.
--
Robins Tharakan
On 20 March 2013 03:41, Robins Tharakan <tharakan@gmail.com> wrote:
Show quoted text
Hi,
Please find attached a patch to take 'make check' code-coverage of ROLE
(USER) from 59% to 91%.Any feedback is more than welcome.
--
Robins Tharakan
Attachments:
regress_user_v2.patchapplication/octet-stream; name=regress_user_v2.patchDownload
diff --git a/src/test/regress/expected/user.out b/src/test/regress/expected/user.out
new file mode 100644
index 0000000..5aebdb7
--- /dev/null
+++ b/src/test/regress/expected/user.out
@@ -0,0 +1,346 @@
+--
+-- USER (ROLE)
+-- Regression tests to check for ROLE related operations
+--
+-- Should work. SET configuration during ALTER ROLE
+CREATE ROLE role_ro1;
+ALTER ROLE role_ro1 SET SEED=0.5;
+DROP ROLE role_ro1;
+-- Should fail. Can't ALTER ROLE if it does not exist
+ALTER ROLE role_ro1b SUPERUSER;
+ERROR: role "role_ro1b" does not exist
+ALTER ROLE role_ro1b SET SEED=0.5;
+ERROR: role "role_ro1b" does not exist
+-- Should fail. Can't CREATE SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro2;
+SET ROLE role_ro2;
+CREATE ROLE role_ro3 SUPERUSER;
+ERROR: must be superuser to create superusers
+RESET ROLE;
+DROP ROLE role_ro2;
+-- Should fail. Can't ALTER SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro2b;
+CREATE ROLE role_ro3b;
+SET ROLE role_ro2b;
+ALTER ROLE role_ro3b SUPERUSER;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+DROP ROLE role_ro3b;
+DROP ROLE role_ro2b;
+-- Should fail. Can't ALTER ROLE into a SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro4;
+CREATE ROLE role_ro5;
+SET ROLE role_ro4;
+ALTER ROLE role_ro5 SUPERUSER;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+DROP ROLE role_ro5;
+DROP ROLE role_ro4;
+-- Should fail. Can't ALTER ROLE on existing SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro6 SUPERUSER;
+CREATE ROLE role_ro7;
+SET ROLE role_ro7;
+ALTER ROLE role_ro6 NOSUPERUSER;
+ERROR: must be superuser to alter superusers
+ALTER ROLE role_ro6 SET SEED=0.5;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+DROP ROLE role_ro7;
+DROP ROLE role_ro6;
+-- Should fail. Can't ALTER another ROLE without CREATE ROLE privilege
+CREATE ROLE role_ro7;
+CREATE ROLE role_ro8;
+SET ROLE role_ro8;
+ALTER ROLE role_ro7 SET SEED = 0.5;
+ERROR: permission denied
+ALTER ROLE role_ro7 VALID UNTIL '9999/1/1';
+ERROR: permission denied
+RESET ROLE;
+DROP ROLE role_ro8;
+DROP ROLE role_ro7;
+-- Should work. Do an ALTER ROLE SET on a database variable
+CREATE ROLE role_ro9;
+CREATE SCHEMA schema_ro9;
+SET ROLE role_ro9;
+ALTER ROLE role_ro9 SET search_path TO schema_ro9, public;
+RESET ROLE;
+DROP SCHEMA schema_ro9;
+DROP ROLE role_ro9;
+-- Should fail. ALTER ROLE on valid DB entities but non-existent roles
+CREATE SCHEMA schema_ro11;
+ALTER ROLE schema_ro11 SET search_path TO schema_ro11, public;
+ERROR: role "schema_ro11" does not exist
+DROP SCHEMA schema_ro11;
+-- Should fail. Can't ALTER ROLE on REPLICATION user if not self a SUPERUSER
+CREATE ROLE role_ro12;
+CREATE ROLE role_ro13 WITH REPLICATION;
+SET ROLE role_ro12;
+ALTER ROLE role_ro13 SET SEED = 0.5;
+ERROR: permission denied
+ALTER ROLE role_ro13 NOREPLICATION;
+ERROR: must be superuser to alter replication users
+DROP ROLE role_ro13;
+ERROR: permission denied to drop role
+RESET ROLE;
+DROP ROLE role_ro13;
+DROP ROLE role_ro12;
+-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD
+CREATE ROLE role_ro14;
+ALTER ROLE role_ro14 WITH ENCRYPTED PASSWORD 'abc';
+DROP ROLE role_ro14;
+CREATE ROLE role_ro15;
+ALTER ROLE role_ro15 WITH UNENCRYPTED PASSWORD 'abc';
+DROP ROLE role_ro15;
+-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value
+CREATE ROLE role_ro16;
+ALTER ROLE role_ro16 WITH ENCRYPTED PASSWORD;
+ERROR: syntax error at or near ";"
+LINE 1: ALTER ROLE role_ro16 WITH ENCRYPTED PASSWORD;
+ ^
+DROP ROLE role_ro16;
+CREATE ROLE role_ro17;
+ALTER ROLE role_ro17 WITH UNENCRYPTED PASSWORD;
+ERROR: syntax error at or near ";"
+LINE 1: ALTER ROLE role_ro17 WITH UNENCRYPTED PASSWORD;
+ ^
+DROP ROLE role_ro17;
+-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED
+CREATE ROLE role_ro18;
+ALTER ROLE role_ro18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc';
+ERROR: syntax error at or near "UNENCRYPTED"
+LINE 1: ALTER ROLE role_ro18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'ab...
+ ^
+DROP ROLE role_ro18;
+-- Should fail. ALTER ROLE with both INHERIT / NOINHERIT
+CREATE ROLE role_ro19;
+ALTER ROLE role_ro19 WITH INHERIT NOINHERIT;
+ERROR: conflicting or redundant options
+DROP ROLE role_ro19;
+-- Should fail. ALTER ROLE with both CREATEDB / NOCREATEDB
+CREATE ROLE role_ro20;
+ALTER ROLE role_ro20 WITH CREATEDB NOCREATEDB;
+ERROR: conflicting or redundant options
+DROP ROLE role_ro20;
+-- Should fail. ALTER ROLE with both LOGIN / NOLOGIN
+CREATE ROLE role_ro21;
+ALTER ROLE role_ro21 WITH LOGIN NOLOGIN;
+ERROR: conflicting or redundant options
+DROP ROLE role_ro21;
+-- Should fail. ALTER ROLE with both CREATEROLE / NOCREATEROLE
+CREATE ROLE role_ro22;
+ALTER ROLE role_ro22 WITH CREATEROLE NOCREATEROLE;
+ERROR: conflicting or redundant options
+DROP ROLE role_ro22;
+-- Should fail. ALTER ROLE with both REPLICATION / NOREPLICATION
+CREATE ROLE role_ro23;
+ALTER ROLE role_ro23 WITH REPLICATION NOREPLICATION;
+ERROR: conflicting or redundant options
+DROP ROLE role_ro23;
+-- Should fail. ALTER ROLE with CONNECTION LIMIT 0
+CREATE ROLE role_ro24;
+ALTER ROLE role_ro24 WITH CONNECTION LIMIT 0;
+DROP ROLE role_ro24;
+-- Should fail. ALTER ROLE with VALID UNTIL without a value
+CREATE ROLE role_ro25;
+ALTER ROLE role_ro25 VALID UNTIL;
+ERROR: syntax error at or near ";"
+LINE 1: ALTER ROLE role_ro25 VALID UNTIL;
+ ^
+DROP ROLE role_ro25;
+-- Should fail. ALTER ROLE with invalid option
+CREATE ROLE role_ro26;
+ALTER ROLE role_ro26 invalid_option;
+ERROR: unrecognized role option "invalid_option"
+LINE 1: ALTER ROLE role_ro26 invalid_option;
+ ^
+DROP ROLE role_ro26;
+-- Should work. ALTER ROLE with valid values
+CREATE ROLE role_ro27;
+ALTER ROLE role_ro27 WITH VALID UNTIL '9999/1/1' INHERIT LOGIN REPLICATION
+ CREATEROLE CREATEDB SUPERUSER ENCRYPTED PASSWORD 'abc' CONNECTION LIMIT 5;
+DROP ROLE role_ro27;
+-- Should work. ALTER ROLE with SET and valid values
+CREATE ROLE role_ro28;
+ALTER ROLE role_ro28 SET SEED = 0.5 ;
+DROP ROLE role_ro28;
+-- Should work. ALTER ROLE with IN DATABASE with ROLE
+CREATE ROLE role_ro29;
+ALTER ROLE role_ro29 IN DATABASE regression SET SEED = 0.5 ;
+DROP ROLE role_ro29;
+-- Should work. ALTER ROLE with IN DATABASE with ROLE ALL
+BEGIN TRANSACTION;
+ALTER ROLE ALL IN DATABASE regression SET SEED = 0.5 ;
+ROLLBACK;
+-- Should fail. ALTER ROLE with PASSWORD NULL
+CREATE ROLE role_ro30;
+ALTER ROLE role_ro30 PASSWORD NULL;
+DROP ROLE role_ro30;
+-- Should fail. ALTER ROLE with IN DATABASE with ROLE ALL without SUPERUSER
+BEGIN TRANSACTION;
+CREATE ROLE role_ro31;
+SET ROLE role_ro31;
+ALTER ROLE ALL IN DATABASE postgres SET SEED = 0.5 ;
+ERROR: must be owner of database postgres
+DROP ROLE role_ro31;
+ERROR: current transaction is aborted, commands ignored until end of transaction block
+ROLLBACK;
+-- Should fail. ALTER ROLE with ROLE ALL without SUPERUSER
+CREATE ROLE role_ro32;
+SET ROLE role_ro32;
+ALTER ROLE ALL SET SEED = 0.5 ;
+ERROR: must be superuser to alter settings globally
+RESET ROLE;
+DROP ROLE role_ro32;
+-- Should fail. DROP ROLE for current user
+CREATE ROLE role_ro33 CREATEROLE;
+SET ROLE role_ro33;
+DROP ROLE role_ro33;
+ERROR: current user cannot be dropped
+RESET ROLE;
+DROP ROLE role_ro33;
+-- Should fail. DROP ROLE for session_user
+CREATE ROLE role_ro34 SUPERUSER;
+CREATE ROLE role_ro34a CREATEROLE;
+SET SESSION AUTHORIZATION role_ro34;
+SET ROLE role_ro34a;
+DROP ROLE role_ro34;
+ERROR: session user cannot be dropped
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE role_ro34;
+DROP ROLE role_ro34a;
+-- Should work. ALTER ROLE RENAME
+CREATE ROLE role_ro37;
+ALTER ROLE role_ro37 RENAME TO role_ro37a;
+DROP ROLE role_ro37a;
+-- Should fail. ALTER ROLE RENAME for non-existent role
+ALTER ROLE role_37b RENAME TO role_ro37b;
+ERROR: role "role_37b" does not exist
+-- Should fail. ALTER ROLE RENAME for session_user not allowed
+CREATE ROLE role_ro38;
+SET SESSION AUTHORIZATION role_ro38;
+ALTER ROLE role_ro38 RENAME TO role_ro38a;
+ERROR: session user cannot be renamed
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE role_ro38;
+-- Should fail. ALTER ROLE RENAME for current_user not allowed
+CREATE ROLE role_ro39 CREATEROLE;
+SET ROLE role_ro39;
+ALTER ROLE role_ro39 RENAME TO role_ro39a;
+ERROR: current user cannot be renamed
+RESET ROLE;
+DROP ROLE role_ro39;
+-- Should fail. ALTER ROLE RENAME where target role already exists / reserved
+CREATE ROLE role_ro40;
+CREATE ROLE role_ro41;
+ALTER ROLE role_ro40 RENAME TO role_ro41;
+ERROR: role "role_ro41" already exists
+ALTER ROLE role_ro40 RENAME TO public;
+ERROR: role name "public" is reserved
+ALTER ROLE role_ro40 RENAME TO none;
+ERROR: role name "none" is reserved
+DROP ROLE role_ro40;
+DROP ROLE role_ro41;
+-- Should fail. ALTER ROLE RENAME for superuser requires SUPERUSER permission
+CREATE ROLE role_ro42 SUPERUSER;
+CREATE ROLE role_ro43;
+SET ROLE role_ro43;
+ALTER ROLE role_ro42 RENAME TO role_ro42a;
+ERROR: must be superuser to rename superusers
+RESET ROLE;
+DROP ROLE role_ro43;
+DROP ROLE role_ro42;
+-- Should fail. ALTER ROLE RENAME for non-superuser needs CREATEROLE permission
+CREATE ROLE role_ro44;
+CREATE ROLE role_ro45;
+SET ROLE role_ro45;
+ALTER ROLE role_ro44 RENAME TO role_ro44a;
+ERROR: permission denied to rename role
+RESET ROLE;
+DROP ROLE role_ro45;
+DROP ROLE role_ro44;
+-- Should work. ALTER ROLE RENAME WITH ENCRYPTED PASSWORD should clear password
+CREATE ROLE role_ro46 WITH ENCRYPTED PASSWORD 'abc';
+ALTER ROLE role_ro46 RENAME TO role_ro46a;
+NOTICE: MD5 password cleared because of role rename
+DROP ROLE role_ro46a;
+-- Should fail. GRANT / REVOKE on SUPERUSER requires SUPERUSER permission
+CREATE ROLE role_ro47 SUPERUSER;
+CREATE ROLE role_ro47b;
+CREATE ROLE role_ro48;
+SET ROLE role_ro48;
+GRANT role_ro47 TO role_ro47b;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+ALTER ROLE role_ro48 CREATEROLE;
+SET ROLE role_ro48;
+GRANT role_ro47 TO role_ro47b;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+ALTER ROLE role_ro48 SUPERUSER;
+SET ROLE role_ro48;
+GRANT role_ro47 TO role_ro47b;
+REVOKE role_ro47 FROM role_ro47b;
+RESET ROLE;
+DROP ROLE role_ro47;
+DROP ROLE role_ro47b;
+DROP ROLE role_ro48;
+-- Should fail. GRANT / REVOKE on another ROLE requires CREATEROLE / ADMIN
+CREATE ROLE role_ro49;
+CREATE ROLE role_ro50;
+CREATE ROLE role_ro51;
+SET ROLE role_ro49;
+GRANT role_ro50 TO role_ro51;
+ERROR: must have admin option on role "role_ro50"
+RESET ROLE;
+ALTER ROLE role_ro49 CREATEROLE;
+SET ROLE role_ro49;
+GRANT role_ro50 TO role_ro51;
+REVOKE role_ro50 FROM role_ro51;
+RESET ROLE;
+GRANT role_ro49 to role_ro50 WITH ADMIN OPTION;
+SET ROLE role_ro49;
+GRANT role_ro50 TO role_ro51;
+REVOKE role_ro50 FROM role_ro51;
+RESET ROLE;
+DROP ROLE role_ro51;
+DROP ROLE role_ro50;
+DROP ROLE role_ro49;
+-- Should fail. GRANT a ROLE should avoid becoming its own member or do loops
+CREATE ROLE role_ro52;
+CREATE ROLE role_ro53;
+GRANT role_ro52 TO role_ro52;
+ERROR: role "role_ro52" is a member of role "role_ro52"
+GRANT role_ro52 TO role_ro53;
+GRANT role_ro53 TO role_ro52;
+ERROR: role "role_ro53" is a member of role "role_ro52"
+DROP ROLE role_ro52;
+DROP ROLE role_ro53;
+-- Should fail. REVOKE without membership should throw error
+CREATE ROLE role_ro61;
+CREATE ROLE role_ro62;
+REVOKE role_ro62 FROM role_ro61;
+WARNING: role "role_ro61" is not a member of role "role_ro62"
+DROP ROLE role_ro62;
+DROP ROLE role_ro61;
+-- Should work. REVOKE a GRANT WITH ADMIN OPTION
+CREATE ROLE role_ro63;
+CREATE ROLE role_ro64;
+GRANT role_ro64 TO role_ro63 WITH ADMIN OPTION;
+REVOKE ADMIN OPTION FOR role_ro64 FROM role_ro63;
+DROP ROLE role_ro63;
+DROP ROLE role_ro64;
+-- Should fail. Can't ALTER ROLE VALID UNTIL with an invalid date
+CREATE ROLE role_ro65;
+ALTER ROLE role_ro65 VALID UNTIL '5874898/1/1'; -- Try invalid year
+ERROR: timestamp out of range: "5874898/1/1"
+ALTER ROLE role_ro65 VALID UNTIL 'invalid date'; -- Try non numeric date
+ERROR: invalid input syntax for type timestamp with time zone: "invalid date"
+ALTER ROLE role_ro65 VALID UNTIL '2030/13/1';-- Try invalid month
+ERROR: date/time field value out of range: "2030/13/1"
+HINT: Perhaps you need a different "datestyle" setting.
+ALTER ROLE role_ro65 VALID UNTIL '2030/1/32';-- Try invalid day
+ERROR: date/time field value out of range: "2030/1/32"
+HINT: Perhaps you need a different "datestyle" setting.
+ALTER ROLE role_ro65 VALID UNTIL '2030/2/30';-- Try invalid day for feb
+ERROR: date/time field value out of range: "2030/2/30"
+DROP ROLE role_ro65;
diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule
index 2af28b1..7360f8b 100644
--- a/src/test/regress/parallel_schedule
+++ b/src/test/regress/parallel_schedule
@@ -59,7 +59,7 @@ test: create_index create_view
# ----------
# Another group of parallel tests
# ----------
-test: create_aggregate create_function_3 create_cast constraints triggers inherit create_table_like typed_table vacuum drop_if_exists updatable_views
+test: create_aggregate create_function_3 create_cast constraints triggers inherit create_table_like typed_table vacuum drop_if_exists updatable_views user
# ----------
# sanity_check does a vacuum, affecting the sort order of SELECT *
diff --git a/src/test/regress/sql/user.sql b/src/test/regress/sql/user.sql
new file mode 100644
index 0000000..19d4d65
--- /dev/null
+++ b/src/test/regress/sql/user.sql
@@ -0,0 +1,351 @@
+--
+-- USER (ROLE)
+-- Regression tests to check for ROLE related operations
+--
+
+-- Should work. SET configuration during ALTER ROLE
+CREATE ROLE role_ro1;
+ALTER ROLE role_ro1 SET SEED=0.5;
+DROP ROLE role_ro1;
+
+-- Should fail. Can't ALTER ROLE if it does not exist
+ALTER ROLE role_ro1b SUPERUSER;
+ALTER ROLE role_ro1b SET SEED=0.5;
+
+-- Should fail. Can't CREATE SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro2;
+SET ROLE role_ro2;
+CREATE ROLE role_ro3 SUPERUSER;
+RESET ROLE;
+DROP ROLE role_ro2;
+
+-- Should fail. Can't ALTER SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro2b;
+CREATE ROLE role_ro3b;
+SET ROLE role_ro2b;
+ALTER ROLE role_ro3b SUPERUSER;
+RESET ROLE;
+DROP ROLE role_ro3b;
+DROP ROLE role_ro2b;
+
+-- Should fail. Can't ALTER ROLE into a SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro4;
+CREATE ROLE role_ro5;
+SET ROLE role_ro4;
+ALTER ROLE role_ro5 SUPERUSER;
+RESET ROLE;
+DROP ROLE role_ro5;
+DROP ROLE role_ro4;
+
+-- Should fail. Can't ALTER ROLE on existing SUPERUSER if not self a SUPERUSER
+CREATE ROLE role_ro6 SUPERUSER;
+CREATE ROLE role_ro7;
+SET ROLE role_ro7;
+ALTER ROLE role_ro6 NOSUPERUSER;
+ALTER ROLE role_ro6 SET SEED=0.5;
+RESET ROLE;
+DROP ROLE role_ro7;
+DROP ROLE role_ro6;
+
+-- Should fail. Can't ALTER another ROLE without CREATE ROLE privilege
+CREATE ROLE role_ro7;
+CREATE ROLE role_ro8;
+SET ROLE role_ro8;
+ALTER ROLE role_ro7 SET SEED = 0.5;
+ALTER ROLE role_ro7 VALID UNTIL '9999/1/1';
+RESET ROLE;
+DROP ROLE role_ro8;
+DROP ROLE role_ro7;
+
+-- Should work. Do an ALTER ROLE SET on a database variable
+CREATE ROLE role_ro9;
+CREATE SCHEMA schema_ro9;
+SET ROLE role_ro9;
+ALTER ROLE role_ro9 SET search_path TO schema_ro9, public;
+RESET ROLE;
+DROP SCHEMA schema_ro9;
+DROP ROLE role_ro9;
+
+-- Should fail. ALTER ROLE on valid DB entities but non-existent roles
+CREATE SCHEMA schema_ro11;
+ALTER ROLE schema_ro11 SET search_path TO schema_ro11, public;
+DROP SCHEMA schema_ro11;
+
+-- Should fail. Can't ALTER ROLE on REPLICATION user if not self a SUPERUSER
+CREATE ROLE role_ro12;
+CREATE ROLE role_ro13 WITH REPLICATION;
+SET ROLE role_ro12;
+ALTER ROLE role_ro13 SET SEED = 0.5;
+ALTER ROLE role_ro13 NOREPLICATION;
+DROP ROLE role_ro13;
+RESET ROLE;
+DROP ROLE role_ro13;
+DROP ROLE role_ro12;
+
+-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD
+CREATE ROLE role_ro14;
+ALTER ROLE role_ro14 WITH ENCRYPTED PASSWORD 'abc';
+DROP ROLE role_ro14;
+CREATE ROLE role_ro15;
+ALTER ROLE role_ro15 WITH UNENCRYPTED PASSWORD 'abc';
+DROP ROLE role_ro15;
+
+-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value
+CREATE ROLE role_ro16;
+ALTER ROLE role_ro16 WITH ENCRYPTED PASSWORD;
+DROP ROLE role_ro16;
+CREATE ROLE role_ro17;
+ALTER ROLE role_ro17 WITH UNENCRYPTED PASSWORD;
+DROP ROLE role_ro17;
+
+-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED
+CREATE ROLE role_ro18;
+ALTER ROLE role_ro18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc';
+DROP ROLE role_ro18;
+
+-- Should fail. ALTER ROLE with both INHERIT / NOINHERIT
+CREATE ROLE role_ro19;
+ALTER ROLE role_ro19 WITH INHERIT NOINHERIT;
+DROP ROLE role_ro19;
+
+-- Should fail. ALTER ROLE with both CREATEDB / NOCREATEDB
+CREATE ROLE role_ro20;
+ALTER ROLE role_ro20 WITH CREATEDB NOCREATEDB;
+DROP ROLE role_ro20;
+
+-- Should fail. ALTER ROLE with both LOGIN / NOLOGIN
+CREATE ROLE role_ro21;
+ALTER ROLE role_ro21 WITH LOGIN NOLOGIN;
+DROP ROLE role_ro21;
+
+-- Should fail. ALTER ROLE with both CREATEROLE / NOCREATEROLE
+CREATE ROLE role_ro22;
+ALTER ROLE role_ro22 WITH CREATEROLE NOCREATEROLE;
+DROP ROLE role_ro22;
+
+-- Should fail. ALTER ROLE with both REPLICATION / NOREPLICATION
+CREATE ROLE role_ro23;
+ALTER ROLE role_ro23 WITH REPLICATION NOREPLICATION;
+DROP ROLE role_ro23;
+
+-- Should fail. ALTER ROLE with CONNECTION LIMIT 0
+CREATE ROLE role_ro24;
+ALTER ROLE role_ro24 WITH CONNECTION LIMIT 0;
+DROP ROLE role_ro24;
+
+-- Should fail. ALTER ROLE with VALID UNTIL without a value
+CREATE ROLE role_ro25;
+ALTER ROLE role_ro25 VALID UNTIL;
+DROP ROLE role_ro25;
+
+-- Should fail. ALTER ROLE with invalid option
+CREATE ROLE role_ro26;
+ALTER ROLE role_ro26 invalid_option;
+DROP ROLE role_ro26;
+
+-- Should work. ALTER ROLE with valid values
+CREATE ROLE role_ro27;
+ALTER ROLE role_ro27 WITH VALID UNTIL '9999/1/1' INHERIT LOGIN REPLICATION
+ CREATEROLE CREATEDB SUPERUSER ENCRYPTED PASSWORD 'abc' CONNECTION LIMIT 5;
+DROP ROLE role_ro27;
+
+-- Should work. ALTER ROLE with SET and valid values
+CREATE ROLE role_ro28;
+ALTER ROLE role_ro28 SET SEED = 0.5 ;
+DROP ROLE role_ro28;
+
+-- Should work. ALTER ROLE with IN DATABASE with ROLE
+CREATE ROLE role_ro29;
+ALTER ROLE role_ro29 IN DATABASE regression SET SEED = 0.5 ;
+DROP ROLE role_ro29;
+
+-- Should work. ALTER ROLE with IN DATABASE with ROLE ALL
+BEGIN TRANSACTION;
+ALTER ROLE ALL IN DATABASE regression SET SEED = 0.5 ;
+ROLLBACK;
+
+-- Should fail. ALTER ROLE with PASSWORD NULL
+CREATE ROLE role_ro30;
+ALTER ROLE role_ro30 PASSWORD NULL;
+DROP ROLE role_ro30;
+
+-- Should fail. ALTER ROLE with IN DATABASE with ROLE ALL without SUPERUSER
+BEGIN TRANSACTION;
+CREATE ROLE role_ro31;
+SET ROLE role_ro31;
+ALTER ROLE ALL IN DATABASE postgres SET SEED = 0.5 ;
+DROP ROLE role_ro31;
+ROLLBACK;
+
+-- Should fail. ALTER ROLE with ROLE ALL without SUPERUSER
+CREATE ROLE role_ro32;
+SET ROLE role_ro32;
+ALTER ROLE ALL SET SEED = 0.5 ;
+RESET ROLE;
+DROP ROLE role_ro32;
+
+-- Should fail. DROP ROLE for current user
+CREATE ROLE role_ro33 CREATEROLE;
+SET ROLE role_ro33;
+DROP ROLE role_ro33;
+RESET ROLE;
+DROP ROLE role_ro33;
+
+-- Should fail. DROP ROLE for session_user
+CREATE ROLE role_ro34 SUPERUSER;
+CREATE ROLE role_ro34a CREATEROLE;
+SET SESSION AUTHORIZATION role_ro34;
+SET ROLE role_ro34a;
+DROP ROLE role_ro34;
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE role_ro34;
+DROP ROLE role_ro34a;
+
+-- Should work. ALTER ROLE RENAME
+CREATE ROLE role_ro37;
+ALTER ROLE role_ro37 RENAME TO role_ro37a;
+DROP ROLE role_ro37a;
+
+-- Should fail. ALTER ROLE RENAME for non-existent role
+ALTER ROLE role_37b RENAME TO role_ro37b;
+
+-- Should fail. ALTER ROLE RENAME for session_user not allowed
+CREATE ROLE role_ro38;
+SET SESSION AUTHORIZATION role_ro38;
+ALTER ROLE role_ro38 RENAME TO role_ro38a;
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE role_ro38;
+
+-- Should fail. ALTER ROLE RENAME for current_user not allowed
+CREATE ROLE role_ro39 CREATEROLE;
+SET ROLE role_ro39;
+ALTER ROLE role_ro39 RENAME TO role_ro39a;
+RESET ROLE;
+DROP ROLE role_ro39;
+
+-- Should fail. ALTER ROLE RENAME where target role already exists / reserved
+CREATE ROLE role_ro40;
+CREATE ROLE role_ro41;
+ALTER ROLE role_ro40 RENAME TO role_ro41;
+ALTER ROLE role_ro40 RENAME TO public;
+ALTER ROLE role_ro40 RENAME TO none;
+DROP ROLE role_ro40;
+DROP ROLE role_ro41;
+
+-- Should fail. ALTER ROLE RENAME for superuser requires SUPERUSER permission
+CREATE ROLE role_ro42 SUPERUSER;
+CREATE ROLE role_ro43;
+SET ROLE role_ro43;
+ALTER ROLE role_ro42 RENAME TO role_ro42a;
+RESET ROLE;
+DROP ROLE role_ro43;
+DROP ROLE role_ro42;
+
+-- Should fail. ALTER ROLE RENAME for non-superuser needs CREATEROLE permission
+CREATE ROLE role_ro44;
+CREATE ROLE role_ro45;
+SET ROLE role_ro45;
+ALTER ROLE role_ro44 RENAME TO role_ro44a;
+RESET ROLE;
+DROP ROLE role_ro45;
+DROP ROLE role_ro44;
+
+-- Should work. ALTER ROLE RENAME WITH ENCRYPTED PASSWORD should clear password
+CREATE ROLE role_ro46 WITH ENCRYPTED PASSWORD 'abc';
+ALTER ROLE role_ro46 RENAME TO role_ro46a;
+DROP ROLE role_ro46a;
+
+
+-- Should fail. GRANT / REVOKE on SUPERUSER requires SUPERUSER permission
+CREATE ROLE role_ro47 SUPERUSER;
+CREATE ROLE role_ro47b;
+CREATE ROLE role_ro48;
+
+SET ROLE role_ro48;
+GRANT role_ro47 TO role_ro47b;
+RESET ROLE;
+
+ALTER ROLE role_ro48 CREATEROLE;
+
+SET ROLE role_ro48;
+GRANT role_ro47 TO role_ro47b;
+RESET ROLE;
+
+ALTER ROLE role_ro48 SUPERUSER;
+
+SET ROLE role_ro48;
+GRANT role_ro47 TO role_ro47b;
+REVOKE role_ro47 FROM role_ro47b;
+RESET ROLE;
+
+DROP ROLE role_ro47;
+DROP ROLE role_ro47b;
+DROP ROLE role_ro48;
+
+
+
+-- Should fail. GRANT / REVOKE on another ROLE requires CREATEROLE / ADMIN
+CREATE ROLE role_ro49;
+CREATE ROLE role_ro50;
+CREATE ROLE role_ro51;
+
+SET ROLE role_ro49;
+GRANT role_ro50 TO role_ro51;
+RESET ROLE;
+
+ALTER ROLE role_ro49 CREATEROLE;
+
+SET ROLE role_ro49;
+GRANT role_ro50 TO role_ro51;
+REVOKE role_ro50 FROM role_ro51;
+RESET ROLE;
+
+GRANT role_ro49 to role_ro50 WITH ADMIN OPTION;
+
+SET ROLE role_ro49;
+GRANT role_ro50 TO role_ro51;
+REVOKE role_ro50 FROM role_ro51;
+RESET ROLE;
+
+DROP ROLE role_ro51;
+DROP ROLE role_ro50;
+DROP ROLE role_ro49;
+
+
+
+-- Should fail. GRANT a ROLE should avoid becoming its own member or do loops
+CREATE ROLE role_ro52;
+CREATE ROLE role_ro53;
+GRANT role_ro52 TO role_ro52;
+GRANT role_ro52 TO role_ro53;
+GRANT role_ro53 TO role_ro52;
+DROP ROLE role_ro52;
+DROP ROLE role_ro53;
+
+
+-- Should fail. REVOKE without membership should throw error
+CREATE ROLE role_ro61;
+CREATE ROLE role_ro62;
+REVOKE role_ro62 FROM role_ro61;
+DROP ROLE role_ro62;
+DROP ROLE role_ro61;
+
+
+-- Should work. REVOKE a GRANT WITH ADMIN OPTION
+CREATE ROLE role_ro63;
+CREATE ROLE role_ro64;
+GRANT role_ro64 TO role_ro63 WITH ADMIN OPTION;
+REVOKE ADMIN OPTION FOR role_ro64 FROM role_ro63;
+DROP ROLE role_ro63;
+DROP ROLE role_ro64;
+
+-- Should fail. Can't ALTER ROLE VALID UNTIL with an invalid date
+CREATE ROLE role_ro65;
+ALTER ROLE role_ro65 VALID UNTIL '5874898/1/1'; -- Try invalid year
+ALTER ROLE role_ro65 VALID UNTIL 'invalid date'; -- Try non numeric date
+ALTER ROLE role_ro65 VALID UNTIL '2030/13/1';-- Try invalid month
+ALTER ROLE role_ro65 VALID UNTIL '2030/1/32';-- Try invalid day
+ALTER ROLE role_ro65 VALID UNTIL '2030/2/30';-- Try invalid day for feb
+DROP ROLE role_ro65;
+
+
Re: Add regression tests for ROLE (USER)
This updated version works for me and addresses previous comments.
I think that such tests are definitely valuable, especially as many corner
cases which must trigger errors are covered.
I recommend to apply it.
Please find an updated patch as per comments on Commitfest (comments
replicated below for ease of understanding).Feedback 1:
fc: role_ro2/3 used twice?
rt: Corrected in this update.Feedback 2:
fc: I do not understand why "asdf" conveys anything about an expected
failure. Association of Scientists, Developers and Faculties? :-)
rt: ASDF is a pattern that I learnt in one of the tests (SEQUENCE?) that
pre-existed when I started working. Its a slang for arbit text that I just
reused thinking that it is normal practice here. Anyway, have corrected
that in this update.Feedback 3:
fc: 2030/1/1 -> 2030-01-01? maybe use a larger date?
rt: 2030/1/1 date is not a failure point of the test. It needs to be a
valid date (but sufficiently distant that so that tests don't fail). I
tried setting this to 2200/1/1 and I get the same error message. Let me
know if this still needs to be a large date.
fb: VALID UNTIL '9999-12-31' works for me...
rt: I thought 20 years is a date sufficiently far ahead to ensure that this
test doesn't fail. Sure, have updated the test to use 9999/1/1. Also, have
added more tests at the end to ensure date-checks are also being validated
in ALTER ROLE VALID UNTIL.
--
Fabien.
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Re: Add regression tests for ROLE (USER)
On Thu, May 9, 2013 at 4:29 AM, Fabien COELHO <coelho@cri.ensmp.fr> wrote:
This updated version works for me and addresses previous comments.
I think that such tests are definitely valuable, especially as many corner
cases which must trigger errors are covered.I recommend to apply it.
I'm attaching an update of this patch that renames both the new test
file (user->role), and the regression users that get created. It also
fixes the serial schedule to match the parallel schedule.
However, before it can get committed, I think this set of tests needs
streamlining. It does seem to me valuable, but I think it's wasteful
in terms of runtime to create so many roles, do just one thing with
them, and then drop them. I recommend consolidating some of the
tests. For example:
+-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD
+CREATE ROLE regress_rol_rol14;
+ALTER ROLE regress_rol_rol14 WITH ENCRYPTED PASSWORD 'abc';
+DROP ROLE regress_rol_rol14;
+CREATE ROLE regress_rol_rol15;
+ALTER ROLE regress_rol_rol15 WITH UNENCRYPTED PASSWORD 'abc';
+DROP ROLE regress_rol_rol15;
+
+-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value
+CREATE ROLE regress_rol_rol16;
+ALTER ROLE regress_rol_rol16 WITH ENCRYPTED PASSWORD;
+DROP ROLE regress_rol_rol16;
+CREATE ROLE regress_rol_rol17;
+ALTER ROLE regress_rol_rol17 WITH UNENCRYPTED PASSWORD;
+DROP ROLE regress_rol_rol17;
+
+-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED
+CREATE ROLE regress_rol_rol18;
+ALTER ROLE regress_rol_rol18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc';
+DROP ROLE regress_rol_rol18;There's no reason that couldn't be written this way:
CREATE ROLE regress_rol_rol14;
ALTER ROLE regress_rol_rol14 WITH ENCRYPTED PASSWORD 'abc';
ALTER ROLE regress_rol_rol14 WITH UNENCRYPTED PASSWORD 'abc';
ALTER ROLE regress_rol_rol14 WITH ENCRYPTED PASSWORD;
ALTER ROLE regress_rol_rol14 WITH UNENCRYPTED PASSWORD;
ALTER ROLE regress_rol_rol14 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc';
DROP ROLE regress_rol_rol14;
Considering the concerns already expressed about the runtime of the
test, I think it's important to minimize the number of create/drop
role cycles that the tests perform.
Generally, I think that the tests which return a syntax error are of
limited value and should probably be dropped. That is unlikely to get
broken by accident. If the syntax error is being thrown by something
outside of bison proper, that's probably worth testing. But I think
that testing random syntax variations is a pretty low-value
proposition.
Setting this to "Waiting on Author".
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Attachments:
regress_role_v3.patchapplication/octet-stream; name=regress_role_v3.patchDownload
diff --git a/src/test/regress/expected/role.out b/src/test/regress/expected/role.out
new file mode 100644
index 0000000..d05fa23
--- /dev/null
+++ b/src/test/regress/expected/role.out
@@ -0,0 +1,346 @@
+--
+-- USER (ROLE)
+-- Regression tests to check for ROLE related operations
+--
+-- Should work. SET configuration during ALTER ROLE
+CREATE ROLE regress_rol_rol1;
+ALTER ROLE regress_rol_rol1 SET SEED=0.5;
+DROP ROLE regress_rol_rol1;
+-- Should fail. Can't ALTER ROLE if it does not exist
+ALTER ROLE regress_rol_rol1b SUPERUSER;
+ERROR: role "regress_rol_rol1b" does not exist
+ALTER ROLE regress_rol_rol1b SET SEED=0.5;
+ERROR: role "regress_rol_rol1b" does not exist
+-- Should fail. Can't CREATE SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol2;
+SET ROLE regress_rol_rol2;
+CREATE ROLE regress_rol_rol3 SUPERUSER;
+ERROR: must be superuser to create superusers
+RESET ROLE;
+DROP ROLE regress_rol_rol2;
+-- Should fail. Can't ALTER SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol2b;
+CREATE ROLE regress_rol_rol3b;
+SET ROLE regress_rol_rol2b;
+ALTER ROLE regress_rol_rol3b SUPERUSER;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+DROP ROLE regress_rol_rol3b;
+DROP ROLE regress_rol_rol2b;
+-- Should fail. Can't ALTER ROLE into a SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol4;
+CREATE ROLE regress_rol_rol5;
+SET ROLE regress_rol_rol4;
+ALTER ROLE regress_rol_rol5 SUPERUSER;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+DROP ROLE regress_rol_rol5;
+DROP ROLE regress_rol_rol4;
+-- Should fail. Can't ALTER ROLE on existing SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol6 SUPERUSER;
+CREATE ROLE regress_rol_rol7;
+SET ROLE regress_rol_rol7;
+ALTER ROLE regress_rol_rol6 NOSUPERUSER;
+ERROR: must be superuser to alter superusers
+ALTER ROLE regress_rol_rol6 SET SEED=0.5;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+DROP ROLE regress_rol_rol7;
+DROP ROLE regress_rol_rol6;
+-- Should fail. Can't ALTER another ROLE without CREATE ROLE privilege
+CREATE ROLE regress_rol_rol7;
+CREATE ROLE regress_rol_rol8;
+SET ROLE regress_rol_rol8;
+ALTER ROLE regress_rol_rol7 SET SEED = 0.5;
+ERROR: permission denied
+ALTER ROLE regress_rol_rol7 VALID UNTIL '9999/1/1';
+ERROR: permission denied
+RESET ROLE;
+DROP ROLE regress_rol_rol8;
+DROP ROLE regress_rol_rol7;
+-- Should work. Do an ALTER ROLE SET on a database variable
+CREATE ROLE regress_rol_rol9;
+CREATE SCHEMA schema_ro9;
+SET ROLE regress_rol_rol9;
+ALTER ROLE regress_rol_rol9 SET search_path TO schema_ro9, public;
+RESET ROLE;
+DROP SCHEMA schema_ro9;
+DROP ROLE regress_rol_rol9;
+-- Should fail. ALTER ROLE on valid DB entities but non-existent roles
+CREATE SCHEMA schema_ro11;
+ALTER ROLE schema_ro11 SET search_path TO schema_ro11, public;
+ERROR: role "schema_ro11" does not exist
+DROP SCHEMA schema_ro11;
+-- Should fail. Can't ALTER ROLE on REPLICATION user if not self a SUPERUSER
+CREATE ROLE regress_rol_rol12;
+CREATE ROLE regress_rol_rol13 WITH REPLICATION;
+SET ROLE regress_rol_rol12;
+ALTER ROLE regress_rol_rol13 SET SEED = 0.5;
+ERROR: permission denied
+ALTER ROLE regress_rol_rol13 NOREPLICATION;
+ERROR: must be superuser to alter replication users
+DROP ROLE regress_rol_rol13;
+ERROR: permission denied to drop role
+RESET ROLE;
+DROP ROLE regress_rol_rol13;
+DROP ROLE regress_rol_rol12;
+-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD
+CREATE ROLE regress_rol_rol14;
+ALTER ROLE regress_rol_rol14 WITH ENCRYPTED PASSWORD 'abc';
+DROP ROLE regress_rol_rol14;
+CREATE ROLE regress_rol_rol15;
+ALTER ROLE regress_rol_rol15 WITH UNENCRYPTED PASSWORD 'abc';
+DROP ROLE regress_rol_rol15;
+-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value
+CREATE ROLE regress_rol_rol16;
+ALTER ROLE regress_rol_rol16 WITH ENCRYPTED PASSWORD;
+ERROR: syntax error at or near ";"
+LINE 1: ALTER ROLE regress_rol_rol16 WITH ENCRYPTED PASSWORD;
+ ^
+DROP ROLE regress_rol_rol16;
+CREATE ROLE regress_rol_rol17;
+ALTER ROLE regress_rol_rol17 WITH UNENCRYPTED PASSWORD;
+ERROR: syntax error at or near ";"
+LINE 1: ALTER ROLE regress_rol_rol17 WITH UNENCRYPTED PASSWORD;
+ ^
+DROP ROLE regress_rol_rol17;
+-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED
+CREATE ROLE regress_rol_rol18;
+ALTER ROLE regress_rol_rol18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc';
+ERROR: syntax error at or near "UNENCRYPTED"
+LINE 1: ALTER ROLE regress_rol_rol18 WITH ENCRYPTED UNENCRYPTED PASS...
+ ^
+DROP ROLE regress_rol_rol18;
+-- Should fail. ALTER ROLE with both INHERIT / NOINHERIT
+CREATE ROLE regress_rol_rol19;
+ALTER ROLE regress_rol_rol19 WITH INHERIT NOINHERIT;
+ERROR: conflicting or redundant options
+DROP ROLE regress_rol_rol19;
+-- Should fail. ALTER ROLE with both CREATEDB / NOCREATEDB
+CREATE ROLE regress_rol_rol20;
+ALTER ROLE regress_rol_rol20 WITH CREATEDB NOCREATEDB;
+ERROR: conflicting or redundant options
+DROP ROLE regress_rol_rol20;
+-- Should fail. ALTER ROLE with both LOGIN / NOLOGIN
+CREATE ROLE regress_rol_rol21;
+ALTER ROLE regress_rol_rol21 WITH LOGIN NOLOGIN;
+ERROR: conflicting or redundant options
+DROP ROLE regress_rol_rol21;
+-- Should fail. ALTER ROLE with both CREATEROLE / NOCREATEROLE
+CREATE ROLE regress_rol_rol22;
+ALTER ROLE regress_rol_rol22 WITH CREATEROLE NOCREATEROLE;
+ERROR: conflicting or redundant options
+DROP ROLE regress_rol_rol22;
+-- Should fail. ALTER ROLE with both REPLICATION / NOREPLICATION
+CREATE ROLE regress_rol_rol23;
+ALTER ROLE regress_rol_rol23 WITH REPLICATION NOREPLICATION;
+ERROR: conflicting or redundant options
+DROP ROLE regress_rol_rol23;
+-- Should fail. ALTER ROLE with CONNECTION LIMIT 0
+CREATE ROLE regress_rol_rol24;
+ALTER ROLE regress_rol_rol24 WITH CONNECTION LIMIT 0;
+DROP ROLE regress_rol_rol24;
+-- Should fail. ALTER ROLE with VALID UNTIL without a value
+CREATE ROLE regress_rol_rol25;
+ALTER ROLE regress_rol_rol25 VALID UNTIL;
+ERROR: syntax error at or near ";"
+LINE 1: ALTER ROLE regress_rol_rol25 VALID UNTIL;
+ ^
+DROP ROLE regress_rol_rol25;
+-- Should fail. ALTER ROLE with invalid option
+CREATE ROLE regress_rol_rol26;
+ALTER ROLE regress_rol_rol26 invalid_option;
+ERROR: unrecognized role option "invalid_option"
+LINE 1: ALTER ROLE regress_rol_rol26 invalid_option;
+ ^
+DROP ROLE regress_rol_rol26;
+-- Should work. ALTER ROLE with valid values
+CREATE ROLE regress_rol_rol27;
+ALTER ROLE regress_rol_rol27 WITH VALID UNTIL '9999/1/1' INHERIT LOGIN REPLICATION
+ CREATEROLE CREATEDB SUPERUSER ENCRYPTED PASSWORD 'abc' CONNECTION LIMIT 5;
+DROP ROLE regress_rol_rol27;
+-- Should work. ALTER ROLE with SET and valid values
+CREATE ROLE regress_rol_rol28;
+ALTER ROLE regress_rol_rol28 SET SEED = 0.5 ;
+DROP ROLE regress_rol_rol28;
+-- Should work. ALTER ROLE with IN DATABASE with ROLE
+CREATE ROLE regress_rol_rol29;
+ALTER ROLE regress_rol_rol29 IN DATABASE regression SET SEED = 0.5 ;
+DROP ROLE regress_rol_rol29;
+-- Should work. ALTER ROLE with IN DATABASE with ROLE ALL
+BEGIN TRANSACTION;
+ALTER ROLE ALL IN DATABASE regression SET SEED = 0.5 ;
+ROLLBACK;
+-- Should fail. ALTER ROLE with PASSWORD NULL
+CREATE ROLE regress_rol_rol30;
+ALTER ROLE regress_rol_rol30 PASSWORD NULL;
+DROP ROLE regress_rol_rol30;
+-- Should fail. ALTER ROLE with IN DATABASE with ROLE ALL without SUPERUSER
+BEGIN TRANSACTION;
+CREATE ROLE regress_rol_rol31;
+SET ROLE regress_rol_rol31;
+ALTER ROLE ALL IN DATABASE postgres SET SEED = 0.5 ;
+ERROR: must be owner of database postgres
+DROP ROLE regress_rol_rol31;
+ERROR: current transaction is aborted, commands ignored until end of transaction block
+ROLLBACK;
+-- Should fail. ALTER ROLE with ROLE ALL without SUPERUSER
+CREATE ROLE regress_rol_rol32;
+SET ROLE regress_rol_rol32;
+ALTER ROLE ALL SET SEED = 0.5 ;
+ERROR: must be superuser to alter settings globally
+RESET ROLE;
+DROP ROLE regress_rol_rol32;
+-- Should fail. DROP ROLE for current user
+CREATE ROLE regress_rol_rol33 CREATEROLE;
+SET ROLE regress_rol_rol33;
+DROP ROLE regress_rol_rol33;
+ERROR: current user cannot be dropped
+RESET ROLE;
+DROP ROLE regress_rol_rol33;
+-- Should fail. DROP ROLE for session_user
+CREATE ROLE regress_rol_rol34 SUPERUSER;
+CREATE ROLE regress_rol_rol34a CREATEROLE;
+SET SESSION AUTHORIZATION regress_rol_rol34;
+SET ROLE regress_rol_rol34a;
+DROP ROLE regress_rol_rol34;
+ERROR: session user cannot be dropped
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE regress_rol_rol34;
+DROP ROLE regress_rol_rol34a;
+-- Should work. ALTER ROLE RENAME
+CREATE ROLE regress_rol_rol37;
+ALTER ROLE regress_rol_rol37 RENAME TO regress_rol_rol37a;
+DROP ROLE regress_rol_rol37a;
+-- Should fail. ALTER ROLE RENAME for non-existent role
+ALTER ROLE role_37b RENAME TO regress_rol_rol37b;
+ERROR: role "role_37b" does not exist
+-- Should fail. ALTER ROLE RENAME for session_user not allowed
+CREATE ROLE regress_rol_rol38;
+SET SESSION AUTHORIZATION regress_rol_rol38;
+ALTER ROLE regress_rol_rol38 RENAME TO regress_rol_rol38a;
+ERROR: session user cannot be renamed
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE regress_rol_rol38;
+-- Should fail. ALTER ROLE RENAME for current_user not allowed
+CREATE ROLE regress_rol_rol39 CREATEROLE;
+SET ROLE regress_rol_rol39;
+ALTER ROLE regress_rol_rol39 RENAME TO regress_rol_rol39a;
+ERROR: current user cannot be renamed
+RESET ROLE;
+DROP ROLE regress_rol_rol39;
+-- Should fail. ALTER ROLE RENAME where target role already exists / reserved
+CREATE ROLE regress_rol_rol40;
+CREATE ROLE regress_rol_rol41;
+ALTER ROLE regress_rol_rol40 RENAME TO regress_rol_rol41;
+ERROR: role "regress_rol_rol41" already exists
+ALTER ROLE regress_rol_rol40 RENAME TO public;
+ERROR: role name "public" is reserved
+ALTER ROLE regress_rol_rol40 RENAME TO none;
+ERROR: role name "none" is reserved
+DROP ROLE regress_rol_rol40;
+DROP ROLE regress_rol_rol41;
+-- Should fail. ALTER ROLE RENAME for superuser requires SUPERUSER permission
+CREATE ROLE regress_rol_rol42 SUPERUSER;
+CREATE ROLE regress_rol_rol43;
+SET ROLE regress_rol_rol43;
+ALTER ROLE regress_rol_rol42 RENAME TO regress_rol_rol42a;
+ERROR: must be superuser to rename superusers
+RESET ROLE;
+DROP ROLE regress_rol_rol43;
+DROP ROLE regress_rol_rol42;
+-- Should fail. ALTER ROLE RENAME for non-superuser needs CREATEROLE permission
+CREATE ROLE regress_rol_rol44;
+CREATE ROLE regress_rol_rol45;
+SET ROLE regress_rol_rol45;
+ALTER ROLE regress_rol_rol44 RENAME TO regress_rol_rol44a;
+ERROR: permission denied to rename role
+RESET ROLE;
+DROP ROLE regress_rol_rol45;
+DROP ROLE regress_rol_rol44;
+-- Should work. ALTER ROLE RENAME WITH ENCRYPTED PASSWORD should clear password
+CREATE ROLE regress_rol_rol46 WITH ENCRYPTED PASSWORD 'abc';
+ALTER ROLE regress_rol_rol46 RENAME TO regress_rol_rol46a;
+NOTICE: MD5 password cleared because of role rename
+DROP ROLE regress_rol_rol46a;
+-- Should fail. GRANT / REVOKE on SUPERUSER requires SUPERUSER permission
+CREATE ROLE regress_rol_rol47 SUPERUSER;
+CREATE ROLE regress_rol_rol47b;
+CREATE ROLE regress_rol_rol48;
+SET ROLE regress_rol_rol48;
+GRANT regress_rol_rol47 TO regress_rol_rol47b;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+ALTER ROLE regress_rol_rol48 CREATEROLE;
+SET ROLE regress_rol_rol48;
+GRANT regress_rol_rol47 TO regress_rol_rol47b;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+ALTER ROLE regress_rol_rol48 SUPERUSER;
+SET ROLE regress_rol_rol48;
+GRANT regress_rol_rol47 TO regress_rol_rol47b;
+REVOKE regress_rol_rol47 FROM regress_rol_rol47b;
+RESET ROLE;
+DROP ROLE regress_rol_rol47;
+DROP ROLE regress_rol_rol47b;
+DROP ROLE regress_rol_rol48;
+-- Should fail. GRANT / REVOKE on another ROLE requires CREATEROLE / ADMIN
+CREATE ROLE regress_rol_rol49;
+CREATE ROLE regress_rol_rol50;
+CREATE ROLE regress_rol_rol51;
+SET ROLE regress_rol_rol49;
+GRANT regress_rol_rol50 TO regress_rol_rol51;
+ERROR: must have admin option on role "regress_rol_rol50"
+RESET ROLE;
+ALTER ROLE regress_rol_rol49 CREATEROLE;
+SET ROLE regress_rol_rol49;
+GRANT regress_rol_rol50 TO regress_rol_rol51;
+REVOKE regress_rol_rol50 FROM regress_rol_rol51;
+RESET ROLE;
+GRANT regress_rol_rol49 to regress_rol_rol50 WITH ADMIN OPTION;
+SET ROLE regress_rol_rol49;
+GRANT regress_rol_rol50 TO regress_rol_rol51;
+REVOKE regress_rol_rol50 FROM regress_rol_rol51;
+RESET ROLE;
+DROP ROLE regress_rol_rol51;
+DROP ROLE regress_rol_rol50;
+DROP ROLE regress_rol_rol49;
+-- Should fail. GRANT a ROLE should avoid becoming its own member or do loops
+CREATE ROLE regress_rol_rol52;
+CREATE ROLE regress_rol_rol53;
+GRANT regress_rol_rol52 TO regress_rol_rol52;
+ERROR: role "regress_rol_rol52" is a member of role "regress_rol_rol52"
+GRANT regress_rol_rol52 TO regress_rol_rol53;
+GRANT regress_rol_rol53 TO regress_rol_rol52;
+ERROR: role "regress_rol_rol53" is a member of role "regress_rol_rol52"
+DROP ROLE regress_rol_rol52;
+DROP ROLE regress_rol_rol53;
+-- Should fail. REVOKE without membership should throw error
+CREATE ROLE regress_rol_rol61;
+CREATE ROLE regress_rol_rol62;
+REVOKE regress_rol_rol62 FROM regress_rol_rol61;
+WARNING: role "regress_rol_rol61" is not a member of role "regress_rol_rol62"
+DROP ROLE regress_rol_rol62;
+DROP ROLE regress_rol_rol61;
+-- Should work. REVOKE a GRANT WITH ADMIN OPTION
+CREATE ROLE regress_rol_rol63;
+CREATE ROLE regress_rol_rol64;
+GRANT regress_rol_rol64 TO regress_rol_rol63 WITH ADMIN OPTION;
+REVOKE ADMIN OPTION FOR regress_rol_rol64 FROM regress_rol_rol63;
+DROP ROLE regress_rol_rol63;
+DROP ROLE regress_rol_rol64;
+-- Should fail. Can't ALTER ROLE VALID UNTIL with an invalid date
+CREATE ROLE regress_rol_rol65;
+ALTER ROLE regress_rol_rol65 VALID UNTIL '5874898/1/1'; -- Try invalid year
+ERROR: timestamp out of range: "5874898/1/1"
+ALTER ROLE regress_rol_rol65 VALID UNTIL 'invalid date'; -- Try non numeric date
+ERROR: invalid input syntax for type timestamp with time zone: "invalid date"
+ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/13/1';-- Try invalid month
+ERROR: date/time field value out of range: "2030/13/1"
+HINT: Perhaps you need a different "datestyle" setting.
+ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/1/32';-- Try invalid day
+ERROR: date/time field value out of range: "2030/1/32"
+HINT: Perhaps you need a different "datestyle" setting.
+ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/2/30';-- Try invalid day for feb
+ERROR: date/time field value out of range: "2030/2/30"
+DROP ROLE regress_rol_rol65;
diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule
index 3e6b306..dafeb41 100644
--- a/src/test/regress/parallel_schedule
+++ b/src/test/regress/parallel_schedule
@@ -83,7 +83,7 @@ test: select_into select_distinct select_distinct_on select_implicit select_havi
# ----------
# Another group of parallel tests
# ----------
-test: privileges security_label collate matview
+test: privileges security_label collate matview role
# ----------
# Another group of parallel tests
diff --git a/src/test/regress/serial_schedule b/src/test/regress/serial_schedule
index 3ad289f..8c5402a 100644
--- a/src/test/regress/serial_schedule
+++ b/src/test/regress/serial_schedule
@@ -96,6 +96,7 @@ test: privileges
test: security_label
test: collate
test: matview
+test: role
test: alter_generic
test: misc
test: psql
diff --git a/src/test/regress/sql/role.sql b/src/test/regress/sql/role.sql
new file mode 100644
index 0000000..c0f21c9
--- /dev/null
+++ b/src/test/regress/sql/role.sql
@@ -0,0 +1,351 @@
+--
+-- USER (ROLE)
+-- Regression tests to check for ROLE related operations
+--
+
+-- Should work. SET configuration during ALTER ROLE
+CREATE ROLE regress_rol_rol1;
+ALTER ROLE regress_rol_rol1 SET SEED=0.5;
+DROP ROLE regress_rol_rol1;
+
+-- Should fail. Can't ALTER ROLE if it does not exist
+ALTER ROLE regress_rol_rol1b SUPERUSER;
+ALTER ROLE regress_rol_rol1b SET SEED=0.5;
+
+-- Should fail. Can't CREATE SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol2;
+SET ROLE regress_rol_rol2;
+CREATE ROLE regress_rol_rol3 SUPERUSER;
+RESET ROLE;
+DROP ROLE regress_rol_rol2;
+
+-- Should fail. Can't ALTER SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol2b;
+CREATE ROLE regress_rol_rol3b;
+SET ROLE regress_rol_rol2b;
+ALTER ROLE regress_rol_rol3b SUPERUSER;
+RESET ROLE;
+DROP ROLE regress_rol_rol3b;
+DROP ROLE regress_rol_rol2b;
+
+-- Should fail. Can't ALTER ROLE into a SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol4;
+CREATE ROLE regress_rol_rol5;
+SET ROLE regress_rol_rol4;
+ALTER ROLE regress_rol_rol5 SUPERUSER;
+RESET ROLE;
+DROP ROLE regress_rol_rol5;
+DROP ROLE regress_rol_rol4;
+
+-- Should fail. Can't ALTER ROLE on existing SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol6 SUPERUSER;
+CREATE ROLE regress_rol_rol7;
+SET ROLE regress_rol_rol7;
+ALTER ROLE regress_rol_rol6 NOSUPERUSER;
+ALTER ROLE regress_rol_rol6 SET SEED=0.5;
+RESET ROLE;
+DROP ROLE regress_rol_rol7;
+DROP ROLE regress_rol_rol6;
+
+-- Should fail. Can't ALTER another ROLE without CREATE ROLE privilege
+CREATE ROLE regress_rol_rol7;
+CREATE ROLE regress_rol_rol8;
+SET ROLE regress_rol_rol8;
+ALTER ROLE regress_rol_rol7 SET SEED = 0.5;
+ALTER ROLE regress_rol_rol7 VALID UNTIL '9999/1/1';
+RESET ROLE;
+DROP ROLE regress_rol_rol8;
+DROP ROLE regress_rol_rol7;
+
+-- Should work. Do an ALTER ROLE SET on a database variable
+CREATE ROLE regress_rol_rol9;
+CREATE SCHEMA schema_ro9;
+SET ROLE regress_rol_rol9;
+ALTER ROLE regress_rol_rol9 SET search_path TO schema_ro9, public;
+RESET ROLE;
+DROP SCHEMA schema_ro9;
+DROP ROLE regress_rol_rol9;
+
+-- Should fail. ALTER ROLE on valid DB entities but non-existent roles
+CREATE SCHEMA schema_ro11;
+ALTER ROLE schema_ro11 SET search_path TO schema_ro11, public;
+DROP SCHEMA schema_ro11;
+
+-- Should fail. Can't ALTER ROLE on REPLICATION user if not self a SUPERUSER
+CREATE ROLE regress_rol_rol12;
+CREATE ROLE regress_rol_rol13 WITH REPLICATION;
+SET ROLE regress_rol_rol12;
+ALTER ROLE regress_rol_rol13 SET SEED = 0.5;
+ALTER ROLE regress_rol_rol13 NOREPLICATION;
+DROP ROLE regress_rol_rol13;
+RESET ROLE;
+DROP ROLE regress_rol_rol13;
+DROP ROLE regress_rol_rol12;
+
+-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD
+CREATE ROLE regress_rol_rol14;
+ALTER ROLE regress_rol_rol14 WITH ENCRYPTED PASSWORD 'abc';
+DROP ROLE regress_rol_rol14;
+CREATE ROLE regress_rol_rol15;
+ALTER ROLE regress_rol_rol15 WITH UNENCRYPTED PASSWORD 'abc';
+DROP ROLE regress_rol_rol15;
+
+-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value
+CREATE ROLE regress_rol_rol16;
+ALTER ROLE regress_rol_rol16 WITH ENCRYPTED PASSWORD;
+DROP ROLE regress_rol_rol16;
+CREATE ROLE regress_rol_rol17;
+ALTER ROLE regress_rol_rol17 WITH UNENCRYPTED PASSWORD;
+DROP ROLE regress_rol_rol17;
+
+-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED
+CREATE ROLE regress_rol_rol18;
+ALTER ROLE regress_rol_rol18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc';
+DROP ROLE regress_rol_rol18;
+
+-- Should fail. ALTER ROLE with both INHERIT / NOINHERIT
+CREATE ROLE regress_rol_rol19;
+ALTER ROLE regress_rol_rol19 WITH INHERIT NOINHERIT;
+DROP ROLE regress_rol_rol19;
+
+-- Should fail. ALTER ROLE with both CREATEDB / NOCREATEDB
+CREATE ROLE regress_rol_rol20;
+ALTER ROLE regress_rol_rol20 WITH CREATEDB NOCREATEDB;
+DROP ROLE regress_rol_rol20;
+
+-- Should fail. ALTER ROLE with both LOGIN / NOLOGIN
+CREATE ROLE regress_rol_rol21;
+ALTER ROLE regress_rol_rol21 WITH LOGIN NOLOGIN;
+DROP ROLE regress_rol_rol21;
+
+-- Should fail. ALTER ROLE with both CREATEROLE / NOCREATEROLE
+CREATE ROLE regress_rol_rol22;
+ALTER ROLE regress_rol_rol22 WITH CREATEROLE NOCREATEROLE;
+DROP ROLE regress_rol_rol22;
+
+-- Should fail. ALTER ROLE with both REPLICATION / NOREPLICATION
+CREATE ROLE regress_rol_rol23;
+ALTER ROLE regress_rol_rol23 WITH REPLICATION NOREPLICATION;
+DROP ROLE regress_rol_rol23;
+
+-- Should fail. ALTER ROLE with CONNECTION LIMIT 0
+CREATE ROLE regress_rol_rol24;
+ALTER ROLE regress_rol_rol24 WITH CONNECTION LIMIT 0;
+DROP ROLE regress_rol_rol24;
+
+-- Should fail. ALTER ROLE with VALID UNTIL without a value
+CREATE ROLE regress_rol_rol25;
+ALTER ROLE regress_rol_rol25 VALID UNTIL;
+DROP ROLE regress_rol_rol25;
+
+-- Should fail. ALTER ROLE with invalid option
+CREATE ROLE regress_rol_rol26;
+ALTER ROLE regress_rol_rol26 invalid_option;
+DROP ROLE regress_rol_rol26;
+
+-- Should work. ALTER ROLE with valid values
+CREATE ROLE regress_rol_rol27;
+ALTER ROLE regress_rol_rol27 WITH VALID UNTIL '9999/1/1' INHERIT LOGIN REPLICATION
+ CREATEROLE CREATEDB SUPERUSER ENCRYPTED PASSWORD 'abc' CONNECTION LIMIT 5;
+DROP ROLE regress_rol_rol27;
+
+-- Should work. ALTER ROLE with SET and valid values
+CREATE ROLE regress_rol_rol28;
+ALTER ROLE regress_rol_rol28 SET SEED = 0.5 ;
+DROP ROLE regress_rol_rol28;
+
+-- Should work. ALTER ROLE with IN DATABASE with ROLE
+CREATE ROLE regress_rol_rol29;
+ALTER ROLE regress_rol_rol29 IN DATABASE regression SET SEED = 0.5 ;
+DROP ROLE regress_rol_rol29;
+
+-- Should work. ALTER ROLE with IN DATABASE with ROLE ALL
+BEGIN TRANSACTION;
+ALTER ROLE ALL IN DATABASE regression SET SEED = 0.5 ;
+ROLLBACK;
+
+-- Should fail. ALTER ROLE with PASSWORD NULL
+CREATE ROLE regress_rol_rol30;
+ALTER ROLE regress_rol_rol30 PASSWORD NULL;
+DROP ROLE regress_rol_rol30;
+
+-- Should fail. ALTER ROLE with IN DATABASE with ROLE ALL without SUPERUSER
+BEGIN TRANSACTION;
+CREATE ROLE regress_rol_rol31;
+SET ROLE regress_rol_rol31;
+ALTER ROLE ALL IN DATABASE postgres SET SEED = 0.5 ;
+DROP ROLE regress_rol_rol31;
+ROLLBACK;
+
+-- Should fail. ALTER ROLE with ROLE ALL without SUPERUSER
+CREATE ROLE regress_rol_rol32;
+SET ROLE regress_rol_rol32;
+ALTER ROLE ALL SET SEED = 0.5 ;
+RESET ROLE;
+DROP ROLE regress_rol_rol32;
+
+-- Should fail. DROP ROLE for current user
+CREATE ROLE regress_rol_rol33 CREATEROLE;
+SET ROLE regress_rol_rol33;
+DROP ROLE regress_rol_rol33;
+RESET ROLE;
+DROP ROLE regress_rol_rol33;
+
+-- Should fail. DROP ROLE for session_user
+CREATE ROLE regress_rol_rol34 SUPERUSER;
+CREATE ROLE regress_rol_rol34a CREATEROLE;
+SET SESSION AUTHORIZATION regress_rol_rol34;
+SET ROLE regress_rol_rol34a;
+DROP ROLE regress_rol_rol34;
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE regress_rol_rol34;
+DROP ROLE regress_rol_rol34a;
+
+-- Should work. ALTER ROLE RENAME
+CREATE ROLE regress_rol_rol37;
+ALTER ROLE regress_rol_rol37 RENAME TO regress_rol_rol37a;
+DROP ROLE regress_rol_rol37a;
+
+-- Should fail. ALTER ROLE RENAME for non-existent role
+ALTER ROLE role_37b RENAME TO regress_rol_rol37b;
+
+-- Should fail. ALTER ROLE RENAME for session_user not allowed
+CREATE ROLE regress_rol_rol38;
+SET SESSION AUTHORIZATION regress_rol_rol38;
+ALTER ROLE regress_rol_rol38 RENAME TO regress_rol_rol38a;
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE regress_rol_rol38;
+
+-- Should fail. ALTER ROLE RENAME for current_user not allowed
+CREATE ROLE regress_rol_rol39 CREATEROLE;
+SET ROLE regress_rol_rol39;
+ALTER ROLE regress_rol_rol39 RENAME TO regress_rol_rol39a;
+RESET ROLE;
+DROP ROLE regress_rol_rol39;
+
+-- Should fail. ALTER ROLE RENAME where target role already exists / reserved
+CREATE ROLE regress_rol_rol40;
+CREATE ROLE regress_rol_rol41;
+ALTER ROLE regress_rol_rol40 RENAME TO regress_rol_rol41;
+ALTER ROLE regress_rol_rol40 RENAME TO public;
+ALTER ROLE regress_rol_rol40 RENAME TO none;
+DROP ROLE regress_rol_rol40;
+DROP ROLE regress_rol_rol41;
+
+-- Should fail. ALTER ROLE RENAME for superuser requires SUPERUSER permission
+CREATE ROLE regress_rol_rol42 SUPERUSER;
+CREATE ROLE regress_rol_rol43;
+SET ROLE regress_rol_rol43;
+ALTER ROLE regress_rol_rol42 RENAME TO regress_rol_rol42a;
+RESET ROLE;
+DROP ROLE regress_rol_rol43;
+DROP ROLE regress_rol_rol42;
+
+-- Should fail. ALTER ROLE RENAME for non-superuser needs CREATEROLE permission
+CREATE ROLE regress_rol_rol44;
+CREATE ROLE regress_rol_rol45;
+SET ROLE regress_rol_rol45;
+ALTER ROLE regress_rol_rol44 RENAME TO regress_rol_rol44a;
+RESET ROLE;
+DROP ROLE regress_rol_rol45;
+DROP ROLE regress_rol_rol44;
+
+-- Should work. ALTER ROLE RENAME WITH ENCRYPTED PASSWORD should clear password
+CREATE ROLE regress_rol_rol46 WITH ENCRYPTED PASSWORD 'abc';
+ALTER ROLE regress_rol_rol46 RENAME TO regress_rol_rol46a;
+DROP ROLE regress_rol_rol46a;
+
+
+-- Should fail. GRANT / REVOKE on SUPERUSER requires SUPERUSER permission
+CREATE ROLE regress_rol_rol47 SUPERUSER;
+CREATE ROLE regress_rol_rol47b;
+CREATE ROLE regress_rol_rol48;
+
+SET ROLE regress_rol_rol48;
+GRANT regress_rol_rol47 TO regress_rol_rol47b;
+RESET ROLE;
+
+ALTER ROLE regress_rol_rol48 CREATEROLE;
+
+SET ROLE regress_rol_rol48;
+GRANT regress_rol_rol47 TO regress_rol_rol47b;
+RESET ROLE;
+
+ALTER ROLE regress_rol_rol48 SUPERUSER;
+
+SET ROLE regress_rol_rol48;
+GRANT regress_rol_rol47 TO regress_rol_rol47b;
+REVOKE regress_rol_rol47 FROM regress_rol_rol47b;
+RESET ROLE;
+
+DROP ROLE regress_rol_rol47;
+DROP ROLE regress_rol_rol47b;
+DROP ROLE regress_rol_rol48;
+
+
+
+-- Should fail. GRANT / REVOKE on another ROLE requires CREATEROLE / ADMIN
+CREATE ROLE regress_rol_rol49;
+CREATE ROLE regress_rol_rol50;
+CREATE ROLE regress_rol_rol51;
+
+SET ROLE regress_rol_rol49;
+GRANT regress_rol_rol50 TO regress_rol_rol51;
+RESET ROLE;
+
+ALTER ROLE regress_rol_rol49 CREATEROLE;
+
+SET ROLE regress_rol_rol49;
+GRANT regress_rol_rol50 TO regress_rol_rol51;
+REVOKE regress_rol_rol50 FROM regress_rol_rol51;
+RESET ROLE;
+
+GRANT regress_rol_rol49 to regress_rol_rol50 WITH ADMIN OPTION;
+
+SET ROLE regress_rol_rol49;
+GRANT regress_rol_rol50 TO regress_rol_rol51;
+REVOKE regress_rol_rol50 FROM regress_rol_rol51;
+RESET ROLE;
+
+DROP ROLE regress_rol_rol51;
+DROP ROLE regress_rol_rol50;
+DROP ROLE regress_rol_rol49;
+
+
+
+-- Should fail. GRANT a ROLE should avoid becoming its own member or do loops
+CREATE ROLE regress_rol_rol52;
+CREATE ROLE regress_rol_rol53;
+GRANT regress_rol_rol52 TO regress_rol_rol52;
+GRANT regress_rol_rol52 TO regress_rol_rol53;
+GRANT regress_rol_rol53 TO regress_rol_rol52;
+DROP ROLE regress_rol_rol52;
+DROP ROLE regress_rol_rol53;
+
+
+-- Should fail. REVOKE without membership should throw error
+CREATE ROLE regress_rol_rol61;
+CREATE ROLE regress_rol_rol62;
+REVOKE regress_rol_rol62 FROM regress_rol_rol61;
+DROP ROLE regress_rol_rol62;
+DROP ROLE regress_rol_rol61;
+
+
+-- Should work. REVOKE a GRANT WITH ADMIN OPTION
+CREATE ROLE regress_rol_rol63;
+CREATE ROLE regress_rol_rol64;
+GRANT regress_rol_rol64 TO regress_rol_rol63 WITH ADMIN OPTION;
+REVOKE ADMIN OPTION FOR regress_rol_rol64 FROM regress_rol_rol63;
+DROP ROLE regress_rol_rol63;
+DROP ROLE regress_rol_rol64;
+
+-- Should fail. Can't ALTER ROLE VALID UNTIL with an invalid date
+CREATE ROLE regress_rol_rol65;
+ALTER ROLE regress_rol_rol65 VALID UNTIL '5874898/1/1'; -- Try invalid year
+ALTER ROLE regress_rol_rol65 VALID UNTIL 'invalid date'; -- Try non numeric date
+ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/13/1';-- Try invalid month
+ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/1/32';-- Try invalid day
+ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/2/30';-- Try invalid day for feb
+DROP ROLE regress_rol_rol65;
+
+
Re: Add regression tests for ROLE (USER)
However, before it can get committed, I think this set of tests needs
streamlining. It does seem to me valuable, but I think it's wasteful
in terms of runtime to create so many roles, do just one thing with
them, and then drop them. I recommend consolidating some of the
tests. For example:Generally, I think that the tests which return a syntax error are of
limited value and should probably be dropped. That is unlikely to get
broken by accident. If the syntax error is being thrown by something
outside of bison proper, that's probably worth testing. But I think
that testing random syntax variations is a pretty low-value
proposition.
Thanks Robert.
Although the idea of being repetitive was just about trying to make tests
simpler to infer for the next person, but I guess this example was
obviously an overkill. Point taken, would correct and revert with an
updated patch.
However, the other aspect that you mention, I am unsure if I understand
correctly. Do you wish that syntactical errors not be tested? If so,
probably you're referring to tests such as the one below, and then I think
it may get difficult at times to bifurcate how to chose which tests to
include and which to not. Can I assume that all errors that spit an error
messages with 'syntax error' are to be skipped, probably that'd be an easy
test for me to know what you'd consider important?
+ALTER ROLE regress_rol_rol18 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc';
+ERROR: syntax error at or near "UNENCRYPTED"
+LINE 1: ALTER ROLE regress_rol_rol18 WITH ENCRYPTED UNENCRYPTED PASS...Personally, I think all tests are important. Unless there is a clear
understanding that aiming for 100% code-coverage isn't the goal, I think
all tests are important, syntactical or otherwise. Its possible that not
all code is reachable (therefore testable) but the vision generally remains
at 100%.
Do let me know your view on this second point, so that I can remove these
tests if so required.
Robins Tharakan
Re: Add regression tests for ROLE (USER)
Generally, I think that the tests which return a syntax error are of
limited value and should probably be dropped.
I think that it is not that simple: it is a good value to check that the
syntax error message conveys a useful information for the user, and that
changes to the parser rules do not alter good quality error messages.
Moreover, the cost of such tests in time must be quite minimal.
--
Fabien.
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Re: Add regression tests for ROLE (USER)
Fabien COELHO <coelho@cri.ensmp.fr> writes:
Generally, I think that the tests which return a syntax error are of
limited value and should probably be dropped.
I think that it is not that simple: it is a good value to check that the
syntax error message conveys a useful information for the user, and that
changes to the parser rules do not alter good quality error messages.
It's good to check those things when a feature is implemented. However,
once it's done, the odds of the bison parser breaking are very low.
Thus, the benefit of testing that over again thousands of times a day
is pretty tiny.
Moreover, the cost of such tests in time must be quite minimal.
I'm not convinced (see above) and in any case the benefit is even more
minimal.
(Note that semantic errors, as opposed to syntax errors, are a different
question.)
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Re: Add regression tests for ROLE (USER)
On 2013-07-07 11:11:49 -0400, Tom Lane wrote:
Fabien COELHO <coelho@cri.ensmp.fr> writes:
Generally, I think that the tests which return a syntax error are of
limited value and should probably be dropped.I think that it is not that simple: it is a good value to check that the
syntax error message conveys a useful information for the user, and that
changes to the parser rules do not alter good quality error messages.It's good to check those things when a feature is implemented. However,
once it's done, the odds of the bison parser breaking are very low.
Thus, the benefit of testing that over again thousands of times a day
is pretty tiny.
There has been quite some talk about simplifying the grammar/scanner
though, if somebody starts to work on that *good* tests on syntax errors
might actually be rather worthwhile. Imo there's the danger of reducing
the specifity of error messages when doing so.
Granted, that probably mostly holds true for things actually dealing
with expressions...
Greetings,
Andres Freund
--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Re: Add regression tests for ROLE (USER)
I think that it is not that simple: it is a good value to check that the
syntax error message conveys a useful information for the user, and that
changes to the parser rules do not alter good quality error messages.It's good to check those things when a feature is implemented. However,
once it's done, the odds of the bison parser breaking are very low.
I do not know that. When the next version of bison is out (I have 2.5 from
2011 on my laptop, 2.7.1 was released on 2013-04-15), or if a new "super
great acme incredible" drop-in replacement is proposed, you would like to
see the impact, whether positive or negative, it has on error messages
before switching.
Thus, the benefit of testing that over again thousands of times a day
is pretty tiny.
Sure, I agree that thousands of times per day is an overkill for syntax
errors. But once in a while would be good, and for that you need to have
them somewhere, and the current status is "nowhere".
--
Fabien.
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Re: Add regression tests for ROLE (USER)
On 6 July 2013 20:25, Robins Tharakan <tharakan@gmail.com> wrote:
Do let me know your view on this second point, so that I can remove these
tests if so required.
Hi,
Please find attached the updated patch.
It address the first issue regarding reducing the repeated CREATE / DROP
ROLEs.
It still doesn't address the excessive (syntactical) checks tough. I am
still unclear as to how to identify which checks to skip. (As in, although
I have a personal preference of checking everything, my question probably
wasn't clear in my previous email. I was just asking 'how' to know which
checks to not perform.) Should a 'syntax error' in the message be
considered as an unnecessary check? If so, its easier for me to identify
which checks to skip, while creating future tests.
--
Robins Tharakan
Attachments:
regress_role_v4.patchapplication/octet-stream; name=regress_role_v4.patchDownload
diff --git a/src/test/regress/expected/role.out b/src/test/regress/expected/role.out
new file mode 100644
index 0000000..7b8fcb9
--- /dev/null
+++ b/src/test/regress/expected/role.out
@@ -0,0 +1,309 @@
+--
+-- USER (ROLE)
+-- Regression tests to check for ROLE related operations
+--
+-- Should work. SET configuration during ALTER ROLE
+-- This role is used at multiple places and so DROPped at the end
+CREATE ROLE regress_rol_rol1;
+ALTER ROLE regress_rol_rol1 SET SEED=0.5;
+-- Should fail. Can't ALTER ROLE if it does not exist
+ALTER ROLE regress_rol_rol1b SUPERUSER;
+ERROR: role "regress_rol_rol1b" does not exist
+ALTER ROLE regress_rol_rol1b SET SEED=0.5;
+ERROR: role "regress_rol_rol1b" does not exist
+-- Should fail. Can't CREATE SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol2;
+SET ROLE regress_rol_rol2;
+CREATE ROLE regress_rol_rol3 SUPERUSER;
+ERROR: must be superuser to create superusers
+RESET ROLE;
+DROP ROLE regress_rol_rol2;
+-- Should fail. Can't ALTER SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol2b;
+CREATE ROLE regress_rol_rol3b;
+SET ROLE regress_rol_rol2b;
+ALTER ROLE regress_rol_rol3b SUPERUSER;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+DROP ROLE regress_rol_rol3b;
+DROP ROLE regress_rol_rol2b;
+-- Should fail. Can't ALTER ROLE into a SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol4;
+CREATE ROLE regress_rol_rol5;
+SET ROLE regress_rol_rol4;
+ALTER ROLE regress_rol_rol5 SUPERUSER;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+DROP ROLE regress_rol_rol5;
+DROP ROLE regress_rol_rol4;
+-- Should fail. Can't ALTER ROLE on existing SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol6 SUPERUSER;
+CREATE ROLE regress_rol_rol7;
+SET ROLE regress_rol_rol7;
+ALTER ROLE regress_rol_rol6 NOSUPERUSER;
+ERROR: must be superuser to alter superusers
+ALTER ROLE regress_rol_rol6 SET SEED=0.5;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+DROP ROLE regress_rol_rol7;
+DROP ROLE regress_rol_rol6;
+-- Should fail. Can't ALTER another ROLE without CREATE ROLE privilege
+CREATE ROLE regress_rol_rol7;
+CREATE ROLE regress_rol_rol8;
+SET ROLE regress_rol_rol8;
+ALTER ROLE regress_rol_rol7 SET SEED = 0.5;
+ERROR: permission denied
+ALTER ROLE regress_rol_rol7 VALID UNTIL '9999/1/1';
+ERROR: permission denied
+RESET ROLE;
+DROP ROLE regress_rol_rol8;
+DROP ROLE regress_rol_rol7;
+-- Should work. Do an ALTER ROLE SET on a database variable
+CREATE SCHEMA schema_ro9;
+SET ROLE regress_rol_rol1;
+ALTER ROLE regress_rol_rol1 SET search_path TO schema_ro9, public;
+RESET ROLE;
+DROP SCHEMA schema_ro9;
+-- Should fail. ALTER ROLE on valid DB entities but non-existent roles
+CREATE SCHEMA schema_ro11;
+ALTER ROLE schema_ro11 SET search_path TO schema_ro11, public;
+ERROR: role "schema_ro11" does not exist
+DROP SCHEMA schema_ro11;
+-- Should fail. Can't ALTER ROLE on REPLICATION user if not self a SUPERUSER
+CREATE ROLE regress_rol_rol12;
+CREATE ROLE regress_rol_rol13 WITH REPLICATION;
+SET ROLE regress_rol_rol12;
+ALTER ROLE regress_rol_rol13 SET SEED = 0.5;
+ERROR: permission denied
+ALTER ROLE regress_rol_rol13 NOREPLICATION;
+ERROR: must be superuser to alter replication users
+DROP ROLE regress_rol_rol13;
+ERROR: permission denied to drop role
+RESET ROLE;
+DROP ROLE regress_rol_rol13;
+DROP ROLE regress_rol_rol12;
+-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD
+ALTER ROLE regress_rol_rol1 WITH ENCRYPTED PASSWORD 'abc';
+ALTER ROLE regress_rol_rol1 WITH UNENCRYPTED PASSWORD 'abc';
+-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value
+ALTER ROLE regress_rol_rol1 WITH ENCRYPTED PASSWORD;
+ERROR: syntax error at or near ";"
+LINE 1: ALTER ROLE regress_rol_rol1 WITH ENCRYPTED PASSWORD;
+ ^
+ALTER ROLE regress_rol_rol1 WITH UNENCRYPTED PASSWORD;
+ERROR: syntax error at or near ";"
+LINE 1: ALTER ROLE regress_rol_rol1 WITH UNENCRYPTED PASSWORD;
+ ^
+-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED
+ALTER ROLE regress_rol_rol1 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc';
+ERROR: syntax error at or near "UNENCRYPTED"
+LINE 1: ALTER ROLE regress_rol_rol1 WITH ENCRYPTED UNENCRYPTED PASSW...
+ ^
+-- Should fail. ALTER ROLE with both INHERIT / NOINHERIT
+ALTER ROLE regress_rol_rol1 WITH INHERIT NOINHERIT;
+ERROR: conflicting or redundant options
+-- Should fail. ALTER ROLE with both CREATEDB / NOCREATEDB
+ALTER ROLE regress_rol_rol1 WITH CREATEDB NOCREATEDB;
+ERROR: conflicting or redundant options
+-- Should fail. ALTER ROLE with both LOGIN / NOLOGIN
+ALTER ROLE regress_rol_rol1 WITH LOGIN NOLOGIN;
+ERROR: conflicting or redundant options
+-- Should fail. ALTER ROLE with both CREATEROLE / NOCREATEROLE
+ALTER ROLE regress_rol_rol1 WITH CREATEROLE NOCREATEROLE;
+ERROR: conflicting or redundant options
+-- Should fail. ALTER ROLE with both REPLICATION / NOREPLICATION
+ALTER ROLE regress_rol_rol1 WITH REPLICATION NOREPLICATION;
+ERROR: conflicting or redundant options
+-- Should fail. ALTER ROLE with CONNECTION LIMIT 0
+ALTER ROLE regress_rol_rol1 WITH CONNECTION LIMIT 0;
+-- Should fail. ALTER ROLE with VALID UNTIL without a value
+ALTER ROLE regress_rol_rol1 VALID UNTIL;
+ERROR: syntax error at or near ";"
+LINE 1: ALTER ROLE regress_rol_rol1 VALID UNTIL;
+ ^
+-- Should fail. ALTER ROLE with invalid option
+ALTER ROLE regress_rol_rol1 invalid_option;
+ERROR: unrecognized role option "invalid_option"
+LINE 1: ALTER ROLE regress_rol_rol1 invalid_option;
+ ^
+-- Should work. ALTER ROLE with valid values
+ALTER ROLE regress_rol_rol1 WITH VALID UNTIL '9999/1/1' INHERIT LOGIN REPLICATION
+ CREATEROLE CREATEDB SUPERUSER ENCRYPTED PASSWORD 'abc' CONNECTION LIMIT 5;
+-- Should work. ALTER ROLE with SET and valid values
+ALTER ROLE regress_rol_rol1 SET SEED = 0.5 ;
+-- Should work. ALTER ROLE with IN DATABASE with ROLE
+ALTER ROLE regress_rol_rol1 IN DATABASE regression SET SEED = 0.5 ;
+-- Should work. ALTER ROLE with IN DATABASE with ROLE ALL
+BEGIN TRANSACTION;
+ALTER ROLE ALL IN DATABASE regression SET SEED = 0.5 ;
+ROLLBACK;
+-- Should fail. ALTER ROLE with PASSWORD NULL
+ALTER ROLE regress_rol_rol1 PASSWORD NULL;
+-- Should fail. ALTER ROLE with IN DATABASE with ROLE ALL without SUPERUSER
+BEGIN TRANSACTION;
+CREATE ROLE regress_rol_rol31;
+SET ROLE regress_rol_rol31;
+ALTER ROLE ALL IN DATABASE postgres SET SEED = 0.5 ;
+ERROR: must be owner of database postgres
+DROP ROLE regress_rol_rol31;
+ERROR: current transaction is aborted, commands ignored until end of transaction block
+ROLLBACK;
+-- Should fail. ALTER ROLE with ROLE ALL without SUPERUSER
+CREATE ROLE regress_rol_rol32;
+SET ROLE regress_rol_rol32;
+ALTER ROLE ALL SET SEED = 0.5 ;
+ERROR: must be superuser to alter settings globally
+RESET ROLE;
+DROP ROLE regress_rol_rol32;
+-- Should fail. DROP ROLE for current user
+CREATE ROLE regress_rol_rol33 CREATEROLE;
+SET ROLE regress_rol_rol33;
+DROP ROLE regress_rol_rol33;
+ERROR: current user cannot be dropped
+RESET ROLE;
+DROP ROLE regress_rol_rol33;
+-- Should fail. DROP ROLE for session_user
+CREATE ROLE regress_rol_rol34 SUPERUSER;
+CREATE ROLE regress_rol_rol34a CREATEROLE;
+SET SESSION AUTHORIZATION regress_rol_rol34;
+SET ROLE regress_rol_rol34a;
+DROP ROLE regress_rol_rol34;
+ERROR: session user cannot be dropped
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE regress_rol_rol34;
+DROP ROLE regress_rol_rol34a;
+-- Should work. ALTER ROLE RENAME
+ALTER ROLE regress_rol_rol1 RENAME TO regress_rol_rol1a;
+ALTER ROLE regress_rol_rol1a RENAME TO regress_rol_rol1; -- Roll back, for future tests
+-- Should fail. ALTER ROLE RENAME for non-existent role
+ALTER ROLE role_37b RENAME TO regress_rol_rol37b;
+ERROR: role "role_37b" does not exist
+-- Should fail. ALTER ROLE RENAME for session_user not allowed
+CREATE ROLE regress_rol_rol38;
+SET SESSION AUTHORIZATION regress_rol_rol38;
+ALTER ROLE regress_rol_rol38 RENAME TO regress_rol_rol38a;
+ERROR: session user cannot be renamed
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE regress_rol_rol38;
+-- Should fail. ALTER ROLE RENAME for current_user not allowed
+CREATE ROLE regress_rol_rol39 CREATEROLE;
+SET ROLE regress_rol_rol39;
+ALTER ROLE regress_rol_rol39 RENAME TO regress_rol_rol39a;
+ERROR: current user cannot be renamed
+RESET ROLE;
+DROP ROLE regress_rol_rol39;
+-- Should fail. ALTER ROLE RENAME where target role already exists / reserved
+CREATE ROLE regress_rol_rol40;
+ALTER ROLE regress_rol_rol40 RENAME TO regress_rol_rol1;
+ERROR: role "regress_rol_rol1" already exists
+ALTER ROLE regress_rol_rol40 RENAME TO public;
+ERROR: role name "public" is reserved
+ALTER ROLE regress_rol_rol40 RENAME TO none;
+ERROR: role name "none" is reserved
+DROP ROLE regress_rol_rol40;
+-- Should fail. ALTER ROLE RENAME for superuser requires SUPERUSER permission
+CREATE ROLE regress_rol_rol42 SUPERUSER;
+CREATE ROLE regress_rol_rol43;
+SET ROLE regress_rol_rol43;
+ALTER ROLE regress_rol_rol42 RENAME TO regress_rol_rol42a;
+ERROR: must be superuser to rename superusers
+RESET ROLE;
+DROP ROLE regress_rol_rol43;
+DROP ROLE regress_rol_rol42;
+-- Should fail. ALTER ROLE RENAME for non-superuser needs CREATEROLE permission
+CREATE ROLE regress_rol_rol44;
+CREATE ROLE regress_rol_rol45;
+SET ROLE regress_rol_rol45;
+ALTER ROLE regress_rol_rol44 RENAME TO regress_rol_rol44a;
+ERROR: permission denied to rename role
+RESET ROLE;
+DROP ROLE regress_rol_rol45;
+DROP ROLE regress_rol_rol44;
+-- Should work. ALTER ROLE RENAME WITH ENCRYPTED PASSWORD should clear password
+CREATE ROLE regress_rol_rol46 WITH ENCRYPTED PASSWORD 'abc';
+ALTER ROLE regress_rol_rol46 RENAME TO regress_rol_rol46a;
+NOTICE: MD5 password cleared because of role rename
+DROP ROLE regress_rol_rol46a;
+-- Should fail. GRANT / REVOKE on SUPERUSER requires SUPERUSER permission
+CREATE ROLE regress_rol_rol47 SUPERUSER;
+CREATE ROLE regress_rol_rol47b;
+CREATE ROLE regress_rol_rol48;
+SET ROLE regress_rol_rol48;
+GRANT regress_rol_rol47 TO regress_rol_rol47b;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+ALTER ROLE regress_rol_rol48 CREATEROLE;
+SET ROLE regress_rol_rol48;
+GRANT regress_rol_rol47 TO regress_rol_rol47b;
+ERROR: must be superuser to alter superusers
+RESET ROLE;
+ALTER ROLE regress_rol_rol48 SUPERUSER;
+SET ROLE regress_rol_rol48;
+GRANT regress_rol_rol47 TO regress_rol_rol47b;
+REVOKE regress_rol_rol47 FROM regress_rol_rol47b;
+RESET ROLE;
+DROP ROLE regress_rol_rol47;
+DROP ROLE regress_rol_rol47b;
+DROP ROLE regress_rol_rol48;
+-- Should fail. GRANT / REVOKE on another ROLE requires CREATEROLE / ADMIN
+CREATE ROLE regress_rol_rol49;
+CREATE ROLE regress_rol_rol50;
+CREATE ROLE regress_rol_rol51;
+SET ROLE regress_rol_rol49;
+GRANT regress_rol_rol50 TO regress_rol_rol51;
+ERROR: must have admin option on role "regress_rol_rol50"
+RESET ROLE;
+ALTER ROLE regress_rol_rol49 CREATEROLE;
+SET ROLE regress_rol_rol49;
+GRANT regress_rol_rol50 TO regress_rol_rol51;
+REVOKE regress_rol_rol50 FROM regress_rol_rol51;
+RESET ROLE;
+GRANT regress_rol_rol49 to regress_rol_rol50 WITH ADMIN OPTION;
+SET ROLE regress_rol_rol49;
+GRANT regress_rol_rol50 TO regress_rol_rol51;
+REVOKE regress_rol_rol50 FROM regress_rol_rol51;
+RESET ROLE;
+DROP ROLE regress_rol_rol51;
+DROP ROLE regress_rol_rol50;
+DROP ROLE regress_rol_rol49;
+-- Should fail. GRANT a ROLE should avoid becoming its own member / create loops
+CREATE ROLE regress_rol_rol52;
+CREATE ROLE regress_rol_rol53;
+GRANT regress_rol_rol52 TO regress_rol_rol52;
+ERROR: role "regress_rol_rol52" is a member of role "regress_rol_rol52"
+GRANT regress_rol_rol52 TO regress_rol_rol53;
+GRANT regress_rol_rol53 TO regress_rol_rol52;
+ERROR: role "regress_rol_rol53" is a member of role "regress_rol_rol52"
+DROP ROLE regress_rol_rol52;
+DROP ROLE regress_rol_rol53;
+-- Should fail. REVOKE without membership should throw error
+CREATE ROLE regress_rol_rol61;
+CREATE ROLE regress_rol_rol62;
+REVOKE regress_rol_rol62 FROM regress_rol_rol61;
+WARNING: role "regress_rol_rol61" is not a member of role "regress_rol_rol62"
+DROP ROLE regress_rol_rol62;
+DROP ROLE regress_rol_rol61;
+-- Should work. REVOKE a GRANT WITH ADMIN OPTION
+CREATE ROLE regress_rol_rol63;
+CREATE ROLE regress_rol_rol64;
+GRANT regress_rol_rol64 TO regress_rol_rol63 WITH ADMIN OPTION;
+REVOKE ADMIN OPTION FOR regress_rol_rol64 FROM regress_rol_rol63;
+DROP ROLE regress_rol_rol63;
+DROP ROLE regress_rol_rol64;
+-- Should fail. Can't ALTER ROLE VALID UNTIL with an invalid date
+CREATE ROLE regress_rol_rol65;
+ALTER ROLE regress_rol_rol65 VALID UNTIL '5874898/1/1'; -- Try invalid year
+ERROR: timestamp out of range: "5874898/1/1"
+ALTER ROLE regress_rol_rol65 VALID UNTIL 'invalid date'; -- Try non numeric date
+ERROR: invalid input syntax for type timestamp with time zone: "invalid date"
+ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/13/1';-- Try invalid month
+ERROR: date/time field value out of range: "2030/13/1"
+HINT: Perhaps you need a different "datestyle" setting.
+ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/1/32';-- Try invalid day
+ERROR: date/time field value out of range: "2030/1/32"
+HINT: Perhaps you need a different "datestyle" setting.
+ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/2/30';-- Try invalid day for feb
+ERROR: date/time field value out of range: "2030/2/30"
+DROP ROLE regress_rol_rol65;
+-- Finally drop the universally used ROLE
+DROP ROLE regress_rol_rol1;
diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule
index 3e6b306..dafeb41 100644
--- a/src/test/regress/parallel_schedule
+++ b/src/test/regress/parallel_schedule
@@ -83,7 +83,7 @@ test: select_into select_distinct select_distinct_on select_implicit select_havi
# ----------
# Another group of parallel tests
# ----------
-test: privileges security_label collate matview
+test: privileges security_label collate matview role
# ----------
# Another group of parallel tests
diff --git a/src/test/regress/serial_schedule b/src/test/regress/serial_schedule
index 3ad289f..8c5402a 100644
--- a/src/test/regress/serial_schedule
+++ b/src/test/regress/serial_schedule
@@ -96,6 +96,7 @@ test: privileges
test: security_label
test: collate
test: matview
+test: role
test: alter_generic
test: misc
test: psql
diff --git a/src/test/regress/sql/role.sql b/src/test/regress/sql/role.sql
new file mode 100644
index 0000000..8c34da4
--- /dev/null
+++ b/src/test/regress/sql/role.sql
@@ -0,0 +1,314 @@
+--
+-- USER (ROLE)
+-- Regression tests to check for ROLE related operations
+--
+
+-- Should work. SET configuration during ALTER ROLE
+-- This role is used at multiple places and so DROPped at the end
+CREATE ROLE regress_rol_rol1;
+ALTER ROLE regress_rol_rol1 SET SEED=0.5;
+
+-- Should fail. Can't ALTER ROLE if it does not exist
+ALTER ROLE regress_rol_rol1b SUPERUSER;
+ALTER ROLE regress_rol_rol1b SET SEED=0.5;
+
+-- Should fail. Can't CREATE SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol2;
+SET ROLE regress_rol_rol2;
+CREATE ROLE regress_rol_rol3 SUPERUSER;
+RESET ROLE;
+DROP ROLE regress_rol_rol2;
+
+-- Should fail. Can't ALTER SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol2b;
+CREATE ROLE regress_rol_rol3b;
+SET ROLE regress_rol_rol2b;
+ALTER ROLE regress_rol_rol3b SUPERUSER;
+RESET ROLE;
+DROP ROLE regress_rol_rol3b;
+DROP ROLE regress_rol_rol2b;
+
+-- Should fail. Can't ALTER ROLE into a SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol4;
+CREATE ROLE regress_rol_rol5;
+SET ROLE regress_rol_rol4;
+ALTER ROLE regress_rol_rol5 SUPERUSER;
+RESET ROLE;
+DROP ROLE regress_rol_rol5;
+DROP ROLE regress_rol_rol4;
+
+-- Should fail. Can't ALTER ROLE on existing SUPERUSER if not self a SUPERUSER
+CREATE ROLE regress_rol_rol6 SUPERUSER;
+CREATE ROLE regress_rol_rol7;
+SET ROLE regress_rol_rol7;
+ALTER ROLE regress_rol_rol6 NOSUPERUSER;
+ALTER ROLE regress_rol_rol6 SET SEED=0.5;
+RESET ROLE;
+DROP ROLE regress_rol_rol7;
+DROP ROLE regress_rol_rol6;
+
+-- Should fail. Can't ALTER another ROLE without CREATE ROLE privilege
+CREATE ROLE regress_rol_rol7;
+CREATE ROLE regress_rol_rol8;
+SET ROLE regress_rol_rol8;
+ALTER ROLE regress_rol_rol7 SET SEED = 0.5;
+ALTER ROLE regress_rol_rol7 VALID UNTIL '9999/1/1';
+RESET ROLE;
+DROP ROLE regress_rol_rol8;
+DROP ROLE regress_rol_rol7;
+
+-- Should work. Do an ALTER ROLE SET on a database variable
+CREATE SCHEMA schema_ro9;
+SET ROLE regress_rol_rol1;
+ALTER ROLE regress_rol_rol1 SET search_path TO schema_ro9, public;
+RESET ROLE;
+DROP SCHEMA schema_ro9;
+
+-- Should fail. ALTER ROLE on valid DB entities but non-existent roles
+CREATE SCHEMA schema_ro11;
+ALTER ROLE schema_ro11 SET search_path TO schema_ro11, public;
+DROP SCHEMA schema_ro11;
+
+-- Should fail. Can't ALTER ROLE on REPLICATION user if not self a SUPERUSER
+CREATE ROLE regress_rol_rol12;
+CREATE ROLE regress_rol_rol13 WITH REPLICATION;
+SET ROLE regress_rol_rol12;
+ALTER ROLE regress_rol_rol13 SET SEED = 0.5;
+ALTER ROLE regress_rol_rol13 NOREPLICATION;
+DROP ROLE regress_rol_rol13;
+RESET ROLE;
+DROP ROLE regress_rol_rol13;
+DROP ROLE regress_rol_rol12;
+
+-- Should work. ALTER ROLE with (UN)ENCRYPTED PASSWORD
+ALTER ROLE regress_rol_rol1 WITH ENCRYPTED PASSWORD 'abc';
+ALTER ROLE regress_rol_rol1 WITH UNENCRYPTED PASSWORD 'abc';
+
+-- Should fail. ALTER ROLE with (UN)ENCRYPTED PASSWORD but no password value
+ALTER ROLE regress_rol_rol1 WITH ENCRYPTED PASSWORD;
+ALTER ROLE regress_rol_rol1 WITH UNENCRYPTED PASSWORD;
+
+-- Should fail. ALTER ROLE with both UNENCRYPTED and ENCRYPTED
+ALTER ROLE regress_rol_rol1 WITH ENCRYPTED UNENCRYPTED PASSWORD 'abc';
+
+-- Should fail. ALTER ROLE with both INHERIT / NOINHERIT
+ALTER ROLE regress_rol_rol1 WITH INHERIT NOINHERIT;
+
+-- Should fail. ALTER ROLE with both CREATEDB / NOCREATEDB
+ALTER ROLE regress_rol_rol1 WITH CREATEDB NOCREATEDB;
+
+-- Should fail. ALTER ROLE with both LOGIN / NOLOGIN
+ALTER ROLE regress_rol_rol1 WITH LOGIN NOLOGIN;
+
+-- Should fail. ALTER ROLE with both CREATEROLE / NOCREATEROLE
+ALTER ROLE regress_rol_rol1 WITH CREATEROLE NOCREATEROLE;
+
+-- Should fail. ALTER ROLE with both REPLICATION / NOREPLICATION
+ALTER ROLE regress_rol_rol1 WITH REPLICATION NOREPLICATION;
+
+-- Should fail. ALTER ROLE with CONNECTION LIMIT 0
+ALTER ROLE regress_rol_rol1 WITH CONNECTION LIMIT 0;
+
+-- Should fail. ALTER ROLE with VALID UNTIL without a value
+ALTER ROLE regress_rol_rol1 VALID UNTIL;
+
+-- Should fail. ALTER ROLE with invalid option
+ALTER ROLE regress_rol_rol1 invalid_option;
+
+-- Should work. ALTER ROLE with valid values
+ALTER ROLE regress_rol_rol1 WITH VALID UNTIL '9999/1/1' INHERIT LOGIN REPLICATION
+ CREATEROLE CREATEDB SUPERUSER ENCRYPTED PASSWORD 'abc' CONNECTION LIMIT 5;
+
+-- Should work. ALTER ROLE with SET and valid values
+ALTER ROLE regress_rol_rol1 SET SEED = 0.5 ;
+
+-- Should work. ALTER ROLE with IN DATABASE with ROLE
+ALTER ROLE regress_rol_rol1 IN DATABASE regression SET SEED = 0.5 ;
+
+-- Should work. ALTER ROLE with IN DATABASE with ROLE ALL
+BEGIN TRANSACTION;
+ALTER ROLE ALL IN DATABASE regression SET SEED = 0.5 ;
+ROLLBACK;
+
+-- Should fail. ALTER ROLE with PASSWORD NULL
+ALTER ROLE regress_rol_rol1 PASSWORD NULL;
+
+-- Should fail. ALTER ROLE with IN DATABASE with ROLE ALL without SUPERUSER
+BEGIN TRANSACTION;
+CREATE ROLE regress_rol_rol31;
+SET ROLE regress_rol_rol31;
+ALTER ROLE ALL IN DATABASE postgres SET SEED = 0.5 ;
+DROP ROLE regress_rol_rol31;
+ROLLBACK;
+
+-- Should fail. ALTER ROLE with ROLE ALL without SUPERUSER
+CREATE ROLE regress_rol_rol32;
+SET ROLE regress_rol_rol32;
+ALTER ROLE ALL SET SEED = 0.5 ;
+RESET ROLE;
+DROP ROLE regress_rol_rol32;
+
+-- Should fail. DROP ROLE for current user
+CREATE ROLE regress_rol_rol33 CREATEROLE;
+SET ROLE regress_rol_rol33;
+DROP ROLE regress_rol_rol33;
+RESET ROLE;
+DROP ROLE regress_rol_rol33;
+
+-- Should fail. DROP ROLE for session_user
+CREATE ROLE regress_rol_rol34 SUPERUSER;
+CREATE ROLE regress_rol_rol34a CREATEROLE;
+SET SESSION AUTHORIZATION regress_rol_rol34;
+SET ROLE regress_rol_rol34a;
+DROP ROLE regress_rol_rol34;
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE regress_rol_rol34;
+DROP ROLE regress_rol_rol34a;
+
+-- Should work. ALTER ROLE RENAME
+ALTER ROLE regress_rol_rol1 RENAME TO regress_rol_rol1a;
+ALTER ROLE regress_rol_rol1a RENAME TO regress_rol_rol1; -- Roll back, for future tests
+
+-- Should fail. ALTER ROLE RENAME for non-existent role
+ALTER ROLE role_37b RENAME TO regress_rol_rol37b;
+
+-- Should fail. ALTER ROLE RENAME for session_user not allowed
+CREATE ROLE regress_rol_rol38;
+SET SESSION AUTHORIZATION regress_rol_rol38;
+ALTER ROLE regress_rol_rol38 RENAME TO regress_rol_rol38a;
+SET SESSION AUTHORIZATION DEFAULT;
+DROP ROLE regress_rol_rol38;
+
+-- Should fail. ALTER ROLE RENAME for current_user not allowed
+CREATE ROLE regress_rol_rol39 CREATEROLE;
+SET ROLE regress_rol_rol39;
+ALTER ROLE regress_rol_rol39 RENAME TO regress_rol_rol39a;
+RESET ROLE;
+DROP ROLE regress_rol_rol39;
+
+-- Should fail. ALTER ROLE RENAME where target role already exists / reserved
+CREATE ROLE regress_rol_rol40;
+ALTER ROLE regress_rol_rol40 RENAME TO regress_rol_rol1;
+ALTER ROLE regress_rol_rol40 RENAME TO public;
+ALTER ROLE regress_rol_rol40 RENAME TO none;
+DROP ROLE regress_rol_rol40;
+
+-- Should fail. ALTER ROLE RENAME for superuser requires SUPERUSER permission
+CREATE ROLE regress_rol_rol42 SUPERUSER;
+CREATE ROLE regress_rol_rol43;
+SET ROLE regress_rol_rol43;
+ALTER ROLE regress_rol_rol42 RENAME TO regress_rol_rol42a;
+RESET ROLE;
+DROP ROLE regress_rol_rol43;
+DROP ROLE regress_rol_rol42;
+
+-- Should fail. ALTER ROLE RENAME for non-superuser needs CREATEROLE permission
+CREATE ROLE regress_rol_rol44;
+CREATE ROLE regress_rol_rol45;
+SET ROLE regress_rol_rol45;
+ALTER ROLE regress_rol_rol44 RENAME TO regress_rol_rol44a;
+RESET ROLE;
+DROP ROLE regress_rol_rol45;
+DROP ROLE regress_rol_rol44;
+
+-- Should work. ALTER ROLE RENAME WITH ENCRYPTED PASSWORD should clear password
+CREATE ROLE regress_rol_rol46 WITH ENCRYPTED PASSWORD 'abc';
+ALTER ROLE regress_rol_rol46 RENAME TO regress_rol_rol46a;
+DROP ROLE regress_rol_rol46a;
+
+
+-- Should fail. GRANT / REVOKE on SUPERUSER requires SUPERUSER permission
+CREATE ROLE regress_rol_rol47 SUPERUSER;
+CREATE ROLE regress_rol_rol47b;
+CREATE ROLE regress_rol_rol48;
+
+SET ROLE regress_rol_rol48;
+GRANT regress_rol_rol47 TO regress_rol_rol47b;
+RESET ROLE;
+
+ALTER ROLE regress_rol_rol48 CREATEROLE;
+
+SET ROLE regress_rol_rol48;
+GRANT regress_rol_rol47 TO regress_rol_rol47b;
+RESET ROLE;
+
+ALTER ROLE regress_rol_rol48 SUPERUSER;
+
+SET ROLE regress_rol_rol48;
+GRANT regress_rol_rol47 TO regress_rol_rol47b;
+REVOKE regress_rol_rol47 FROM regress_rol_rol47b;
+RESET ROLE;
+
+DROP ROLE regress_rol_rol47;
+DROP ROLE regress_rol_rol47b;
+DROP ROLE regress_rol_rol48;
+
+
+
+-- Should fail. GRANT / REVOKE on another ROLE requires CREATEROLE / ADMIN
+CREATE ROLE regress_rol_rol49;
+CREATE ROLE regress_rol_rol50;
+CREATE ROLE regress_rol_rol51;
+
+SET ROLE regress_rol_rol49;
+GRANT regress_rol_rol50 TO regress_rol_rol51;
+RESET ROLE;
+
+ALTER ROLE regress_rol_rol49 CREATEROLE;
+
+SET ROLE regress_rol_rol49;
+GRANT regress_rol_rol50 TO regress_rol_rol51;
+REVOKE regress_rol_rol50 FROM regress_rol_rol51;
+RESET ROLE;
+
+GRANT regress_rol_rol49 to regress_rol_rol50 WITH ADMIN OPTION;
+
+SET ROLE regress_rol_rol49;
+GRANT regress_rol_rol50 TO regress_rol_rol51;
+REVOKE regress_rol_rol50 FROM regress_rol_rol51;
+RESET ROLE;
+
+DROP ROLE regress_rol_rol51;
+DROP ROLE regress_rol_rol50;
+DROP ROLE regress_rol_rol49;
+
+
+
+-- Should fail. GRANT a ROLE should avoid becoming its own member / create loops
+CREATE ROLE regress_rol_rol52;
+CREATE ROLE regress_rol_rol53;
+GRANT regress_rol_rol52 TO regress_rol_rol52;
+GRANT regress_rol_rol52 TO regress_rol_rol53;
+GRANT regress_rol_rol53 TO regress_rol_rol52;
+DROP ROLE regress_rol_rol52;
+DROP ROLE regress_rol_rol53;
+
+
+-- Should fail. REVOKE without membership should throw error
+CREATE ROLE regress_rol_rol61;
+CREATE ROLE regress_rol_rol62;
+REVOKE regress_rol_rol62 FROM regress_rol_rol61;
+DROP ROLE regress_rol_rol62;
+DROP ROLE regress_rol_rol61;
+
+
+-- Should work. REVOKE a GRANT WITH ADMIN OPTION
+CREATE ROLE regress_rol_rol63;
+CREATE ROLE regress_rol_rol64;
+GRANT regress_rol_rol64 TO regress_rol_rol63 WITH ADMIN OPTION;
+REVOKE ADMIN OPTION FOR regress_rol_rol64 FROM regress_rol_rol63;
+DROP ROLE regress_rol_rol63;
+DROP ROLE regress_rol_rol64;
+
+-- Should fail. Can't ALTER ROLE VALID UNTIL with an invalid date
+CREATE ROLE regress_rol_rol65;
+ALTER ROLE regress_rol_rol65 VALID UNTIL '5874898/1/1'; -- Try invalid year
+ALTER ROLE regress_rol_rol65 VALID UNTIL 'invalid date'; -- Try non numeric date
+ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/13/1';-- Try invalid month
+ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/1/32';-- Try invalid day
+ALTER ROLE regress_rol_rol65 VALID UNTIL '2030/2/30';-- Try invalid day for feb
+DROP ROLE regress_rol_rol65;
+
+-- Finally drop the universally used ROLE
+DROP ROLE regress_rol_rol1;
+
Re: Add regression tests for ROLE (USER)
On Mon, Jul 15, 2013 at 10:23 AM, Robins Tharakan <tharakan@gmail.com> wrote:
It still doesn't address the excessive (syntactical) checks tough. I am
still unclear as to how to identify which checks to skip. (As in, although I
have a personal preference of checking everything, my question probably
wasn't clear in my previous email. I was just asking 'how' to know which
checks to not perform.) Should a 'syntax error' in the message be considered
as an unnecessary check? If so, its easier for me to identify which checks
to skip, while creating future tests.
Yes, I think you can just leave out the syntax errors.
I simply don't understand how we can be getting any meaningful test
coverage out of those cases. I mean, if we want to check every bit of
syntax that could lead to a syntax error, we could probably come up
with a near-infinite number of test cases:
CREAT TABLE foo (x int);
CREATE TABL foo (x int);
CREATER TABLE foo (x int);
CREATE TABLES foo (x int);
CREATE CREATE TABLE foo (x int);
CREATE TABLE foo [x int);
CREATE TABLE foo (x int];
CREATE TABLE foo [x int];
CREATE TABLE (x int);
CREATE foo (x int);
...and on and on it goes. Once we start speculating that bison
doesn't actually produce a grammar that matches the productions
written in gram.y, there's no limit to what can go wrong, and no
amount of test coverage can be too large. In practice, the chances of
catching anything that way seem minute. If bison breaks in such a way
that all currently accepted grammatical constructs are still accepted
and work, but something that shouldn't have been accepted is, we'll
just have to find that out in some way other than our regression
tests. I think it's very unlikely that such a thing will happen, and
even if it does, I don't really see any reason to suppose that the
particular tests you've included here will be the ones that catch the
problem.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Re: Add regression tests for ROLE (USER)
I simply don't understand how we can be getting any meaningful test
coverage out of those cases. I mean, if we want to check every bit of
syntax that could lead to a syntax error, we could probably come up
with a near-infinite number of test cases:
I think that it would be enough to check for expected
keywords/identifier/stuff whether the syntax error reported make sense.
Basically the parser reports the first found inconsistency.
1. CREAT TABLE foo (x int);
2. CREATE TABL foo (x int);
3. CREATER TABLE foo (x int); -- same as 1
4. CREATE TABLES foo (x int); -- same as 2
5. CREATE CREATE TABLE foo (x int); -- hmmm.
6. CREATE TABLE foo [x int);
7. CREATE TABLE foo (x int];
8. CREATE TABLE foo [x int]; -- same as 6 & 7
9. CREATE TABLE (x int);
A. CREATE foo (x int); -- same as 2
This level of testing can be more or less linear in the number of token.
--
Fabien.
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Re: Add regression tests for ROLE (USER)
On Mon, Jul 15, 2013 at 11:48 AM, Fabien COELHO <coelho@cri.ensmp.fr> wrote:
I simply don't understand how we can be getting any meaningful test
coverage out of those cases. I mean, if we want to check every bit of
syntax that could lead to a syntax error, we could probably come up
with a near-infinite number of test cases:I think that it would be enough to check for expected
keywords/identifier/stuff whether the syntax error reported make sense.
Basically the parser reports the first found inconsistency.1. CREAT TABLE foo (x int);
2. CREATE TABL foo (x int);
3. CREATER TABLE foo (x int); -- same as 1
4. CREATE TABLES foo (x int); -- same as 2
5. CREATE CREATE TABLE foo (x int); -- hmmm.
6. CREATE TABLE foo [x int);
7. CREATE TABLE foo (x int];
8. CREATE TABLE foo [x int]; -- same as 6 & 7
9. CREATE TABLE (x int);
A. CREATE foo (x int); -- same as 2This level of testing can be more or less linear in the number of token.
Maybe so, but that's still a huge number of regression tests that in
practice won't find anything. But they will take work to maintain.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers