Translate lab documentation to English
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled

This commit is contained in:
Rodrigo Pace
2026-05-08 14:50:52 -03:00
parent cde150b705
commit 52bf971b8b
33 changed files with 939 additions and 702 deletions

View File

@@ -1,47 +1,47 @@
# 04 - View Bypass Mandatory Access Control
## Objetivo
## Objective
Demonstrar que views e caminhos alternativos de acesso nao devem contornar a politica da tabela base.
Show that views and alternate access paths must not bypass the policy on the base table.
## O Que Este Lab Mostra
## What This Lab Shows
Antes do Oracle Deep Data Security, uma view legada pode expor linhas que deveriam estar protegidas. Depois de aplicar data grants e `USE DATA GRANTS ONLY`, tabela e view respeitam a mesma fronteira de acesso.
Before Oracle Deep Data Security, a legacy view can expose rows that should be protected. After data grants and `USE DATA GRANTS ONLY` are applied, both the table and the view respect the same access boundary.
## Personas
- `emma`: dona de conta.
- `marvin`: dono de conta.
- `emma`: account owner.
- `marvin`: account owner.
## Onde Executar Os Comandos
## Where To Run The Commands
Execute os comandos a partir da raiz do repositorio:
Run commands from the repository root:
```powershell
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
```
Conecte no banco com SQLcl ou SQL*Plus:
Connect to the database with SQLcl or SQL*Plus:
```bash
sql "<connect_string>"
```
## Passo A Passo - Antes, Ambiente Vulneravel
## Step By Step - Before, Vulnerable Environment
1. Acesse o banco:
1. Connect to the database:
```bash
sql "<connect_string>"
```
2. Limpe o cenario:
2. Reset the scenario:
```sql
@scenarios/04-view-bypass-mac/sql/99_reset.sql
```
3. Crie tabela, view, dados e personas:
3. Create the table, view, data, and personas:
```sql
@scenarios/04-view-bypass-mac/sql/00_schema.sql
@@ -49,7 +49,7 @@ sql "<connect_string>"
@scenarios/04-view-bypass-mac/sql/02_identities.sql
```
4. Consulte a view legada:
4. Query the legacy view:
```sql
SELECT account_id, account_name, owner_name, region, balance
@@ -57,31 +57,31 @@ sql "<connect_string>"
ORDER BY account_id;
```
Resultado esperado antes: a view pode mostrar contas de outros donos.
Expected result before protection: the view may show accounts owned by other users.
## Passo A Passo - Depois, Com Deep Data Security
## Step By Step - After, With Deep Data Security
1. Aplique data grants e Mandatory Access Control:
1. Apply data grants and Mandatory Access Control:
```sql
@scenarios/04-view-bypass-mac/sql/03_data_grants.sql
```
2. Execute as consultas na tabela base e na view:
2. Run the base table and view queries:
```sql
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql
```
3. Repita o teste simulando `emma` e `marvin`.
3. Repeat the test by simulating `emma` and `marvin`.
Resultado esperado depois:
Expected result after protection:
- A tabela retorna apenas a conta autorizada.
- A view retorna o mesmo subconjunto.
- O caminho alternativo deixa de funcionar como bypass.
- The table returns only the authorized account.
- The view returns the same authorized subset.
- The alternate access path no longer works as a bypass.
## Execucao Automatizada Opcional
## Optional Automated Execution
Windows:
@@ -95,7 +95,7 @@ Linux/macOS:
./scripts/run-scenario.sh 04-view-bypass-mac "<connect_string>"
```
## Detalhes Da Demo
## Demo Details
Veja o passo a passo completo, evidencias e referencias oficiais em [RUNBOOK.md](RUNBOOK.md).
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).