Initial Oracle Deep Data Security lab kit
This commit is contained in:
14
scenarios/02-shared-app-account/README.md
Normal file
14
scenarios/02-shared-app-account/README.md
Normal file
@@ -0,0 +1,14 @@
|
||||
# 02 - Shared App Account
|
||||
|
||||
## Objetivo
|
||||
|
||||
Demonstrar o risco de uma conta técnica de aplicação usada por muitos usuários e como a política no banco deve considerar o usuário final.
|
||||
|
||||
## Narrativa
|
||||
|
||||
Uma aplicação conecta ao banco com uma conta técnica. Sem contexto de usuário final, qualquer falha na aplicação ou SQL dinâmico pode expor dados além do necessário. Com Deep Data Security, o banco avalia data grants no contexto do end user propagado.
|
||||
|
||||
## Resultado Esperado
|
||||
|
||||
O usuário final vê apenas seus pedidos ou os pedidos da sua região, mesmo que a conta técnica tenha conectividade com o banco.
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
# Expected Results
|
||||
|
||||
- `alice` sees her orders and no `margin`.
|
||||
- `bruno` sees LATAM orders with all columns.
|
||||
- The shared technical account alone is not the authorization boundary for data access.
|
||||
|
||||
12
scenarios/02-shared-app-account/metadata.yaml
Normal file
12
scenarios/02-shared-app-account/metadata.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
id: "02-shared-app-account"
|
||||
title: "Shared App Account"
|
||||
criticality: "critical"
|
||||
estimated_time_minutes: 20
|
||||
audience:
|
||||
- architect
|
||||
- appsec
|
||||
- dba
|
||||
products:
|
||||
- "Oracle Deep Data Security"
|
||||
reset_supported: true
|
||||
|
||||
11
scenarios/02-shared-app-account/sql/00_schema.sql
Normal file
11
scenarios/02-shared-app-account/sql/00_schema.sql
Normal file
@@ -0,0 +1,11 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE TABLE dds_orders (
|
||||
order_id NUMBER GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
|
||||
customer_name VARCHAR2(100) NOT NULL,
|
||||
region VARCHAR2(30) NOT NULL,
|
||||
seller VARCHAR2(60) NOT NULL,
|
||||
amount NUMBER(12,2) NOT NULL,
|
||||
margin NUMBER(12,2) NOT NULL
|
||||
);
|
||||
|
||||
9
scenarios/02-shared-app-account/sql/01_seed_data.sql
Normal file
9
scenarios/02-shared-app-account/sql/01_seed_data.sql
Normal file
@@ -0,0 +1,9 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
INSERT INTO dds_orders (customer_name, region, seller, amount, margin) VALUES ('Acme Brasil', 'LATAM', 'alice', 10000, 2100);
|
||||
INSERT INTO dds_orders (customer_name, region, seller, amount, margin) VALUES ('Andes Retail', 'LATAM', 'alice', 15000, 3200);
|
||||
INSERT INTO dds_orders (customer_name, region, seller, amount, margin) VALUES ('Northwind US', 'NA', 'natalie', 18000, 5000);
|
||||
INSERT INTO dds_orders (customer_name, region, seller, amount, margin) VALUES ('Euro Health', 'EMEA', 'erik', 21000, 6100);
|
||||
|
||||
COMMIT;
|
||||
|
||||
14
scenarios/02-shared-app-account/sql/02_identities.sql
Normal file
14
scenarios/02-shared-app-account/sql/02_identities.sql
Normal file
@@ -0,0 +1,14 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE END USER alice IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER bruno IDENTIFIED BY "Welcome1_DDS!";
|
||||
|
||||
CREATE DATA ROLE seller_role;
|
||||
CREATE DATA ROLE latam_manager_role;
|
||||
|
||||
GRANT DATA ROLE seller_role TO alice;
|
||||
GRANT DATA ROLE latam_manager_role TO bruno;
|
||||
|
||||
CREATE USER dds_app IDENTIFIED BY "Welcome1_DDS_App!" ACCOUNT UNLOCK;
|
||||
GRANT CREATE SESSION TO dds_app;
|
||||
|
||||
16
scenarios/02-shared-app-account/sql/03_data_grants.sql
Normal file
16
scenarios/02-shared-app-account/sql/03_data_grants.sql
Normal file
@@ -0,0 +1,16 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE OR REPLACE DATA GRANT seller_own_orders
|
||||
AS SELECT (order_id, customer_name, region, seller, amount)
|
||||
ON dds_orders
|
||||
WHERE seller = ORA_END_USER_CONTEXT.username
|
||||
TO seller_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT latam_manager_orders
|
||||
AS SELECT
|
||||
ON dds_orders
|
||||
WHERE region = 'LATAM'
|
||||
TO latam_manager_role;
|
||||
|
||||
SET USE DATA GRANTS ONLY ON dds_orders ENABLED;
|
||||
|
||||
7
scenarios/02-shared-app-account/sql/04_test_queries.sql
Normal file
7
scenarios/02-shared-app-account/sql/04_test_queries.sql
Normal file
@@ -0,0 +1,7 @@
|
||||
SET PAGESIZE 100
|
||||
SET LINESIZE 200
|
||||
|
||||
SELECT order_id, customer_name, region, seller, amount, margin
|
||||
FROM dds_orders
|
||||
ORDER BY order_id;
|
||||
|
||||
19
scenarios/02-shared-app-account/sql/99_reset.sql
Normal file
19
scenarios/02-shared-app-account/sql/99_reset.sql
Normal file
@@ -0,0 +1,19 @@
|
||||
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_orders DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT seller_own_orders'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT latam_manager_orders'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_orders PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP USER dds_app CASCADE'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE seller_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE latam_manager_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER alice'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER bruno'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
|
||||
3
scenarios/02-shared-app-account/tests/negative_tests.sql
Normal file
3
scenarios/02-shared-app-account/tests/negative_tests.sql
Normal file
@@ -0,0 +1,3 @@
|
||||
PROMPT Negative test: user with seller role must not see other regions or margin.
|
||||
SELECT * FROM dds_orders;
|
||||
|
||||
3
scenarios/02-shared-app-account/tests/positive_tests.sql
Normal file
3
scenarios/02-shared-app-account/tests/positive_tests.sql
Normal file
@@ -0,0 +1,3 @@
|
||||
PROMPT Positive test: application-mediated users receive their own authorized orders.
|
||||
@../sql/04_test_queries.sql
|
||||
|
||||
Reference in New Issue
Block a user