Add tests.

2024-11-22 07:31:57 +00:00 · 2022-07-11 18:22:21 +02:00 · 2022-07-11 18:22:21 +02:00 · 5691a859d6
commit 5691a859d6
parent c7cef91d4d
5 changed files with 375 additions and 0 deletions
--- a/tests/integration/test_disabled_access_control_improvements/configs/config.d/disable_access_control_improvements.xml
+++ b/tests/integration/test_disabled_access_control_improvements/configs/config.d/disable_access_control_improvements.xml
@ -1,5 +1,7 @@
 <clickhouse>
    <access_control_improvements>
        <users_without_row_policies_can_read_rows remove="remove"/>
+        <select_from_system_db_requires_grant remove="remove"/>
+        <select_from_information_schema_requires_grant remove="remove"/>
    </access_control_improvements>
 </clickhouse>
--- a/tests/integration/test_disabled_access_control_improvements/configs/users.d/another_user.xml
+++ b/tests/integration/test_disabled_access_control_improvements/configs/users.d/another_user.xml
@ -13,6 +13,9 @@
            </networks>
            <profile>default</profile>
            <quota>default</quota>
+            <allow_databases>
+                <database>mydb</database>
+            </allow_databases>
        </another>
    </users>
 </clickhouse>
--- a/tests/integration/test_disabled_access_control_improvements/test_select_from_system_tables.py
+++ b/tests/integration/test_disabled_access_control_improvements/test_select_from_system_tables.py
@ -0,0 +1,162 @@
+import os
+import pytest
+from helpers.cluster import ClickHouseCluster
+from helpers.test_tools import TSV
+
+cluster = ClickHouseCluster(__file__)
+node = cluster.add_instance(
+    "node",
+    main_configs=["configs/config.d/disable_access_control_improvements.xml"],
+    user_configs=[
+        "configs/users.d/another_user.xml",
+    ],
+)
+
+
+@pytest.fixture(scope="module", autouse=True)
+def started_cluster():
+    try:
+        cluster.start()
+        node.query("CREATE DATABASE mydb")
+        node.query("CREATE TABLE mydb.table1(x UInt32) ENGINE=Log")
+        node.query("CREATE TABLE table2(x UInt32) ENGINE=Log")
+        yield cluster
+
+    finally:
+        cluster.shutdown()
+
+
+@pytest.fixture(autouse=True)
+def reset_after_test():
+    try:
+        node.query("CREATE USER OR REPLACE sqluser")
+        yield
+    finally:
+        pass
+
+
+def test_system_db():
+    assert node.query("SELECT count()>0 FROM system.settings") == "1\n"
+    assert node.query("SELECT count()>0 FROM system.users") == "1\n"
+    assert node.query("SELECT count()>0 FROM system.clusters") == "1\n"
+    assert node.query("SELECT count() FROM system.tables WHERE name='table1'") == "1\n"
+    assert node.query("SELECT count() FROM system.tables WHERE name='table2'") == "1\n"
+
+    assert node.query("SELECT count()>0 FROM system.settings", user="another") == "1\n"
+    expected_error = "necessary to have grant SHOW USERS ON *.*"
+    assert expected_error in node.query_and_get_error(
+        "SELECT count()>0 FROM system.users", user="another"
+    )
+    assert node.query("SELECT count()>0 FROM system.clusters", user="another") == "1\n"
+    assert (
+        node.query(
+            "SELECT count() FROM system.tables WHERE name='table1'", user="another"
+        )
+        == "1\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM system.tables WHERE name='table2'", user="another"
+        )
+        == "0\n"
+    )
+
+    assert node.query("SELECT count()>0 FROM system.settings", user="sqluser") == "1\n"
+    expected_error = "necessary to have grant SHOW USERS ON *.*"
+    assert expected_error in node.query_and_get_error(
+        "SELECT count()>0 FROM system.users", user="sqluser"
+    )
+    assert node.query("SELECT count()>0 FROM system.clusters", user="sqluser") == "1\n"
+    assert (
+        node.query(
+            "SELECT count() FROM system.tables WHERE name='table1'", user="sqluser"
+        )
+        == "0\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM system.tables WHERE name='table2'", user="sqluser"
+        )
+        == "0\n"
+    )
+
+    node.query("GRANT SHOW USERS ON *.* TO sqluser")
+    node.query("GRANT SHOW ON mydb.table1 TO sqluser")
+    node.query("GRANT SHOW ON table2 TO sqluser")
+    assert node.query("SELECT count()>0 FROM system.settings", user="sqluser") == "1\n"
+    assert node.query("SELECT count()>0 FROM system.users", user="sqluser") == "1\n"
+    assert node.query("SELECT count()>0 FROM system.clusters", user="sqluser") == "1\n"
+    assert (
+        node.query(
+            "SELECT count() FROM system.tables WHERE name='table1'", user="sqluser"
+        )
+        == "1\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM system.tables WHERE name='table2'", user="sqluser"
+        )
+        == "1\n"
+    )
+
+
+def test_information_schema():
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table1'"
+        )
+        == "1\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table2'"
+        )
+        == "1\n"
+    )
+
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table1'",
+            user="another",
+        )
+        == "1\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table2'",
+            user="another",
+        )
+        == "0\n"
+    )
+
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table1'",
+            user="sqluser",
+        )
+        == "0\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table2'",
+            user="sqluser",
+        )
+        == "0\n"
+    )
+
+    node.query("GRANT SHOW ON mydb.table1 TO sqluser")
+    node.query("GRANT SHOW ON table2 TO sqluser")
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table1'",
+            user="sqluser",
+        )
+        == "1\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table2'",
+            user="sqluser",
+        )
+        == "1\n"
+    )
--- a/tests/integration/test_select_access_rights/configs/another_user.xml
+++ b/tests/integration/test_select_access_rights/configs/another_user.xml
@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<clickhouse>
+    <users>
+        <another>
+            <password/>
+            <networks>
+                <ip>::/0</ip>
+            </networks>
+            <profile>default</profile>
+            <quota>default</quota>
+            <allow_databases>
+                <database>mydb</database>
+            </allow_databases>
+        </another>
+    </users>
+</clickhouse>
--- a/tests/integration/test_select_access_rights/test_select_from_system_tables.py
+++ b/tests/integration/test_select_access_rights/test_select_from_system_tables.py
@ -0,0 +1,192 @@
+import os
+import pytest
+from helpers.cluster import ClickHouseCluster
+from helpers.test_tools import TSV
+
+cluster = ClickHouseCluster(__file__)
+node = cluster.add_instance(
+    "node",
+    user_configs=[
+        "configs/another_user.xml",
+    ],
+)
+
+
+@pytest.fixture(scope="module", autouse=True)
+def started_cluster():
+    try:
+        cluster.start()
+        node.query("CREATE DATABASE mydb")
+        node.query("CREATE TABLE mydb.table1(x UInt32) ENGINE=Log")
+        node.query("CREATE TABLE table2(x UInt32) ENGINE=Log")
+        yield cluster
+
+    finally:
+        cluster.shutdown()
+
+
+@pytest.fixture(autouse=True)
+def reset_after_test():
+    try:
+        node.query("CREATE USER OR REPLACE sqluser")
+        yield
+    finally:
+        pass
+
+
+def test_system_db():
+    assert node.query("SELECT count()>0 FROM system.settings") == "1\n"
+    assert node.query("SELECT count()>0 FROM system.users") == "1\n"
+    assert node.query("SELECT count()>0 FROM system.clusters") == "1\n"
+    assert node.query("SELECT count() FROM system.tables WHERE name='table1'") == "1\n"
+    assert node.query("SELECT count() FROM system.tables WHERE name='table2'") == "1\n"
+
+    assert node.query("SELECT count()>0 FROM system.settings", user="another") == "1\n"
+
+    expected_error = (
+        "necessary to have grant SELECT for at least one column on system.users"
+    )
+    assert expected_error in node.query_and_get_error(
+        "SELECT count()>0 FROM system.users", user="another"
+    )
+
+    expected_error = (
+        "necessary to have grant SELECT for at least one column on system.clusters"
+    )
+    assert expected_error in node.query_and_get_error(
+        "SELECT count()>0 FROM system.clusters", user="another"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM system.tables WHERE name='table1'", user="another"
+        )
+        == "1\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM system.tables WHERE name='table2'", user="another"
+        )
+        == "0\n"
+    )
+
+    assert node.query("SELECT count()>0 FROM system.settings", user="sqluser") == "1\n"
+
+    expected_error = (
+        "necessary to have grant SELECT for at least one column on system.users"
+    )
+    assert expected_error in node.query_and_get_error(
+        "SELECT count()>0 FROM system.users", user="sqluser"
+    )
+
+    expected_error = (
+        "necessary to have grant SELECT for at least one column on system.clusters"
+    )
+    assert node.query_and_get_error(
+        "SELECT count()>0 FROM system.clusters", user="sqluser"
+    )
+
+    assert (
+        node.query(
+            "SELECT count() FROM system.tables WHERE name='table1'", user="sqluser"
+        )
+        == "0\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM system.tables WHERE name='table2'", user="sqluser"
+        )
+        == "0\n"
+    )
+
+    node.query("GRANT SELECT ON system.users TO sqluser")
+    node.query("GRANT SELECT ON system.clusters TO sqluser")
+    node.query("GRANT SHOW ON mydb.table1 TO sqluser")
+    node.query("GRANT SHOW ON table2 TO sqluser")
+    assert node.query("SELECT count()>0 FROM system.settings", user="sqluser") == "1\n"
+    assert node.query("SELECT count()>0 FROM system.users", user="sqluser") == "1\n"
+    assert node.query("SELECT count()>0 FROM system.clusters", user="sqluser") == "1\n"
+    assert (
+        node.query(
+            "SELECT count() FROM system.tables WHERE name='table1'", user="sqluser"
+        )
+        == "1\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM system.tables WHERE name='table2'", user="sqluser"
+        )
+        == "1\n"
+    )
+
+    node.query("REVOKE ALL ON *.* FROM sqluser")
+    node.query("GRANT SHOW USERS ON *.* TO sqluser")
+    assert node.query("SELECT count()>0 FROM system.users", user="sqluser") == "1\n"
+
+
+def test_information_schema():
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table1'"
+        )
+        == "1\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table2'"
+        )
+        == "1\n"
+    )
+
+    expected_error = (
+        "necessary to have grant SELECT(table_name) ON information_schema.tables"
+    )
+    assert expected_error in node.query_and_get_error(
+        "SELECT count() FROM information_schema.tables WHERE table_name='table1'",
+        user="another",
+    )
+    assert expected_error in node.query_and_get_error(
+        "SELECT count() FROM information_schema.tables WHERE table_name='table2'",
+        user="another",
+    )
+
+    assert expected_error in node.query_and_get_error(
+        "SELECT count() FROM information_schema.tables WHERE table_name='table1'",
+        user="sqluser",
+    )
+    assert expected_error in node.query_and_get_error(
+        "SELECT count() FROM information_schema.tables WHERE table_name='table2'",
+        user="sqluser",
+    )
+
+    node.query("GRANT SELECT ON information_schema.* TO sqluser")
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table1'",
+            user="sqluser",
+        )
+        == "0\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table2'",
+            user="sqluser",
+        )
+        == "0\n"
+    )
+
+    node.query("GRANT SHOW ON mydb.table1 TO sqluser")
+    node.query("GRANT SHOW ON table2 TO sqluser")
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table1'",
+            user="sqluser",
+        )
+        == "1\n"
+    )
+    assert (
+        node.query(
+            "SELECT count() FROM information_schema.tables WHERE table_name='table2'",
+            user="sqluser",
+        )
+        == "1\n"
+    )