add more code

postgresql007 · postgresql007 · commit 38d60e4687ac · 2018-09-30T17:31:00.000+02:00
diff --git a/declarative_checks.sql b/declarative_checks.sql
@@ -0,0 +1,37 @@
+BEGIN;
+
+CREATE TABLE permissions.t_desired_permission
+(
+	id		int4	PRIMARY KEY,
+	rolname		text,
+	perms		text[],
+	operation	text,
+	obj		text,
+	sub_obj		text
+);
+
+INSERT INTO permissions.t_desired_permission
+	VALUES	(1, 'anon', '{"SELECT", "INSERT"}', 'all_tables_in_schema', 'public', NULL), 
+			-- anon should have SELECT and INSERT in all tables in schema public
+	      
+		(2, NULL, '{"SELECT"}', 'all_tables_in_schema', 'sales', NULL),
+			-- everbody should have SELECT on all tables in schema sales
+
+		(3, NULL, '{"USAGE"}', 'all_schemas', NULL, NULL),
+			-- everybody should have usage rights in all schemas
+
+		(4, 'joe', '{"SELECT"}', 'on_table', 'public', 't_test'),
+			-- joe should have SELECT on table public.t_test
+
+		(5, NULL, '{"SELECT", "INSERT"}', NULL, NULL, NULL),
+			-- everbody should have SELECT and INSERT on all tables and views in all schemas
+
+		(6, 'joe', '{"SELECT"}', 'on_view', 'public', 'v_test'),
+			-- joe should have SELECT on view public.v_test
+
+		(7, NULL, '{"EXECUTE"}', 'on_functions_in_schema', 'public', NULL)
+			-- everbody should have EXECUTE on all function in schema public
+;
+
+ROLLBACK;
+
diff --git a/materialize_permissions.sql b/materialize_permissions.sql
@@ -0,0 +1,46 @@
+BEGIN;
+
+CREATE MATERIALIZED VIEW security_status AS SELECT * FROM permissions.all_permissions;
+
+SELECT count(*) FROM security_status;
+
+
+CREATE TABLE track_security_changes (LIKE security_status);
+ALTER TABLE track_security_changes ADD COLUMN t timestamptz DEFAULT now();
+ALTER TABLE track_security_changes ADD COLUMN change text CHECK (change IN ('added', 'removed')) NOT NULL;
+
+-- create a function and an event trigger
+CREATE OR REPLACE FUNCTION detect_permission_change()
+RETURNS event_trigger AS
+$$
+	BEGIN
+		RAISE NOTICE 'checking security situation for % and %', tg_event, tg_tag;
+		INSERT INTO track_security_changes
+		SELECT	*, now(), 'added'
+		FROM (
+			SELECT 	* FROM permissions.all_permissions
+			EXCEPT
+			SELECT  * FROM security_status
+      		     ) AS x
+		UNION ALL
+		SELECT	*, now(), 'removed'
+		FROM (
+			SELECT  * FROM security_status
+			EXCEPT
+			SELECT 	* FROM permissions.all_permissions
+		     ) AS x;
+	END;
+$$ LANGUAGE 'plpgsql';
+
+CREATE EVENT TRIGGER detect_permission_change
+	ON ddl_command_end
+	EXECUTE PROCEDURE detect_permission_change();
+
+
+-- test the code
+-- CREATE TABLE t_abc (id int);
+-- GRANT ALL ON t_abc TO jane;
+-- DROP TABLE t_test;
+
+-- SELECT * FROM track_security_changes WHERE object_type <> 'column';
+
