Improve view bypass lab before and after flow
Some checks failed
Repo Quality / structure (push) Has been cancelled
Some checks failed
Repo Quality / structure (push) Has been cancelled
This commit is contained in:
@@ -1,14 +1,28 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE TABLE dds_mac_accounts (
|
||||
account_id NUMBER PRIMARY KEY,
|
||||
account_name VARCHAR2(100),
|
||||
owner_name VARCHAR2(60),
|
||||
region VARCHAR2(30),
|
||||
balance NUMBER(12,2)
|
||||
);
|
||||
|
||||
CREATE VIEW dds_mac_accounts_view AS
|
||||
SELECT account_id, account_name, owner_name, region, balance
|
||||
FROM dds_mac_accounts;
|
||||
BEGIN
|
||||
EXECUTE IMMEDIATE q'[
|
||||
CREATE TABLE dds_mac_accounts (
|
||||
account_id NUMBER PRIMARY KEY,
|
||||
account_name VARCHAR2(100),
|
||||
owner_name VARCHAR2(60),
|
||||
region VARCHAR2(30),
|
||||
balance NUMBER(12,2)
|
||||
)
|
||||
]';
|
||||
EXCEPTION
|
||||
WHEN OTHERS THEN
|
||||
IF SQLCODE != -955 THEN
|
||||
RAISE;
|
||||
END IF;
|
||||
END;
|
||||
/
|
||||
|
||||
BEGIN
|
||||
EXECUTE IMMEDIATE q'[
|
||||
CREATE OR REPLACE VIEW dds_mac_accounts_view AS
|
||||
SELECT account_id, account_name, owner_name, region, balance
|
||||
FROM dds_mac_accounts
|
||||
]';
|
||||
END;
|
||||
/
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
DELETE FROM dds_mac_accounts;
|
||||
|
||||
INSERT INTO dds_mac_accounts VALUES (1, 'Account Alpha', 'emma', 'LATAM', 100000);
|
||||
INSERT INTO dds_mac_accounts VALUES (2, 'Account Beta', 'marvin', 'LATAM', 250000);
|
||||
INSERT INTO dds_mac_accounts VALUES (3, 'Account Gamma', 'erik', 'EMEA', 900000);
|
||||
|
||||
@@ -2,6 +2,7 @@ WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE END USER emma IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER marvin IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER erik IDENTIFIED BY "Welcome1_DDS!";
|
||||
|
||||
CREATE DATA ROLE account_owner_role;
|
||||
|
||||
@@ -9,5 +10,13 @@ CREATE ROLE mac_session_role;
|
||||
GRANT CREATE SESSION TO mac_session_role;
|
||||
GRANT mac_session_role TO account_owner_role;
|
||||
|
||||
-- Vulnerable baseline: this broad role simulates legacy direct table and view
|
||||
-- access before DDS mandatory enforcement is enabled.
|
||||
CREATE ROLE mac_legacy_broad_access_role;
|
||||
GRANT SELECT ON dds_mac_accounts TO mac_legacy_broad_access_role;
|
||||
GRANT SELECT ON dds_mac_accounts_view TO mac_legacy_broad_access_role;
|
||||
GRANT mac_legacy_broad_access_role TO account_owner_role;
|
||||
|
||||
GRANT DATA ROLE account_owner_role TO emma;
|
||||
GRANT DATA ROLE account_owner_role TO marvin;
|
||||
GRANT DATA ROLE account_owner_role TO erik;
|
||||
|
||||
@@ -3,7 +3,7 @@ WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
CREATE OR REPLACE DATA GRANT mac_account_owner
|
||||
AS SELECT
|
||||
ON dds_mac_accounts
|
||||
WHERE owner_name = ORA_END_USER_CONTEXT.username
|
||||
WHERE UPPER(owner_name) = ORA_END_USER_CONTEXT.username
|
||||
TO account_owner_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT mac_accounts_view_broad
|
||||
|
||||
@@ -12,7 +12,11 @@ BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE account_owner_role'; EXCEPTION WHEN OTHE
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP ROLE mac_session_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP ROLE mac_legacy_broad_access_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER emma'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER marvin'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER erik'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
|
||||
Reference in New Issue
Block a user