Initial Oracle Deep Data Security lab kit
This commit is contained in:
10
scenarios/04-view-bypass-mac/README.md
Normal file
10
scenarios/04-view-bypass-mac/README.md
Normal file
@@ -0,0 +1,10 @@
|
||||
# 04 - View Bypass / Mandatory Access Control
|
||||
|
||||
## Objetivo
|
||||
|
||||
Demonstrar que views e caminhos alternativos de acesso não devem contornar a política da tabela base.
|
||||
|
||||
## Narrativa
|
||||
|
||||
Uma view legada expõe todos os dados. Com `USE DATA GRANTS ONLY`, a política da tabela base passa a ser aplicada de forma uniforme.
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
# Expected Results
|
||||
|
||||
- The base table returns only the account owned by the current end user.
|
||||
- The view returns the same restricted rows.
|
||||
- The broad view data grant does not bypass the base table policy when MAC is enabled.
|
||||
|
||||
12
scenarios/04-view-bypass-mac/metadata.yaml
Normal file
12
scenarios/04-view-bypass-mac/metadata.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
id: "04-view-bypass-mac"
|
||||
title: "View Bypass Mandatory Access Control"
|
||||
criticality: "high"
|
||||
estimated_time_minutes: 15
|
||||
audience:
|
||||
- dba
|
||||
- architect
|
||||
- security
|
||||
products:
|
||||
- "Oracle Deep Data Security"
|
||||
reset_supported: true
|
||||
|
||||
14
scenarios/04-view-bypass-mac/sql/00_schema.sql
Normal file
14
scenarios/04-view-bypass-mac/sql/00_schema.sql
Normal file
@@ -0,0 +1,14 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE TABLE dds_mac_accounts (
|
||||
account_id NUMBER PRIMARY KEY,
|
||||
account_name VARCHAR2(100),
|
||||
owner_name VARCHAR2(60),
|
||||
region VARCHAR2(30),
|
||||
balance NUMBER(12,2)
|
||||
);
|
||||
|
||||
CREATE VIEW dds_mac_accounts_view AS
|
||||
SELECT account_id, account_name, owner_name, region, balance
|
||||
FROM dds_mac_accounts;
|
||||
|
||||
8
scenarios/04-view-bypass-mac/sql/01_seed_data.sql
Normal file
8
scenarios/04-view-bypass-mac/sql/01_seed_data.sql
Normal file
@@ -0,0 +1,8 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
INSERT INTO dds_mac_accounts VALUES (1, 'Conta Alpha', 'emma', 'LATAM', 100000);
|
||||
INSERT INTO dds_mac_accounts VALUES (2, 'Conta Beta', 'marvin', 'LATAM', 250000);
|
||||
INSERT INTO dds_mac_accounts VALUES (3, 'Conta Gamma', 'erik', 'EMEA', 900000);
|
||||
|
||||
COMMIT;
|
||||
|
||||
9
scenarios/04-view-bypass-mac/sql/02_identities.sql
Normal file
9
scenarios/04-view-bypass-mac/sql/02_identities.sql
Normal file
@@ -0,0 +1,9 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE END USER emma IDENTIFIED BY "Welcome1_DDS!";
|
||||
CREATE END USER marvin IDENTIFIED BY "Welcome1_DDS!";
|
||||
|
||||
CREATE DATA ROLE account_owner_role;
|
||||
GRANT DATA ROLE account_owner_role TO emma;
|
||||
GRANT DATA ROLE account_owner_role TO marvin;
|
||||
|
||||
15
scenarios/04-view-bypass-mac/sql/03_data_grants.sql
Normal file
15
scenarios/04-view-bypass-mac/sql/03_data_grants.sql
Normal file
@@ -0,0 +1,15 @@
|
||||
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||
|
||||
CREATE OR REPLACE DATA GRANT mac_account_owner
|
||||
AS SELECT
|
||||
ON dds_mac_accounts
|
||||
WHERE owner_name = ORA_END_USER_CONTEXT.username
|
||||
TO account_owner_role;
|
||||
|
||||
CREATE OR REPLACE DATA GRANT mac_accounts_view_broad
|
||||
AS SELECT
|
||||
ON dds_mac_accounts_view
|
||||
TO account_owner_role;
|
||||
|
||||
SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED;
|
||||
|
||||
13
scenarios/04-view-bypass-mac/sql/04_test_queries.sql
Normal file
13
scenarios/04-view-bypass-mac/sql/04_test_queries.sql
Normal file
@@ -0,0 +1,13 @@
|
||||
SET PAGESIZE 100
|
||||
SET LINESIZE 200
|
||||
|
||||
PROMPT Query base table
|
||||
SELECT account_id, account_name, owner_name, region, balance
|
||||
FROM dds_mac_accounts
|
||||
ORDER BY account_id;
|
||||
|
||||
PROMPT Query view
|
||||
SELECT account_id, account_name, owner_name, region, balance
|
||||
FROM dds_mac_accounts_view
|
||||
ORDER BY account_id;
|
||||
|
||||
17
scenarios/04-view-bypass-mac/sql/99_reset.sql
Normal file
17
scenarios/04-view-bypass-mac/sql/99_reset.sql
Normal file
@@ -0,0 +1,17 @@
|
||||
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_mac_accounts DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT mac_account_owner'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT mac_accounts_view_broad'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP VIEW dds_mac_accounts_view'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP TABLE dds_mac_accounts PURGE'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE account_owner_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER emma'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER marvin'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||
/
|
||||
|
||||
3
scenarios/04-view-bypass-mac/tests/negative_tests.sql
Normal file
3
scenarios/04-view-bypass-mac/tests/negative_tests.sql
Normal file
@@ -0,0 +1,3 @@
|
||||
PROMPT Negative test: broad view grant must not override base table mandatory access control.
|
||||
SELECT COUNT(*) AS visible_rows_from_view FROM dds_mac_accounts_view;
|
||||
|
||||
3
scenarios/04-view-bypass-mac/tests/positive_tests.sql
Normal file
3
scenarios/04-view-bypass-mac/tests/positive_tests.sql
Normal file
@@ -0,0 +1,3 @@
|
||||
PROMPT Positive test: base table and view return the same authorized subset.
|
||||
@../sql/04_test_queries.sql
|
||||
|
||||
Reference in New Issue
Block a user