test: ensure privesc doesn't happen on normal role (#107)

Requires generating the test/expected/event_triggers.out dynamically.

Author: steve-chavez

.gitignore

@@ -9,3 +9,4 @@ results/*.out
 .history
 result*
 tags
+test/expected/event_triggers.out

Makefile

@@ -11,6 +11,7 @@ OBJS = src/supautils.o src/privileged_extensions.o src/drop_trigger_grants.o src
 
 PG_VERSION = $(strip $(shell $(PG_CONFIG) --version | $(GREP) -oP '(?<=PostgreSQL )[0-9]+'))
 PG_GE16 = $(shell test $(PG_VERSION) -ge 16; echo $$?)
+PG_GE14 = $(shell test $(PG_VERSION) -ge 14; echo $$?)
 SYSTEM = $(shell uname -s)
 
 TESTS := $(wildcard test/sql/*.sql)
@@ -26,5 +27,34 @@ endif
 REGRESS = $(patsubst test/sql/%.sql,%,$(TESTS))
 REGRESS_OPTS = --use-existing --inputdir=test
 
+GENERATED_OUT = test/expected/event_triggers.out
+EXTRA_CLEAN = $(GENERATED_OUT)
+
 PGXS := $(shell $(PG_CONFIG) --pgxs)
 include $(PGXS)
+
+.PHONY: $(GENERATED_OUT)
+$(GENERATED_OUT): $(GENERATED_OUT).in
+ifeq ($(PG_GE16), 0)
+	sed \
+		-e '/<\/\?PG_GE_16>/d' \
+		-e '/<PG_GE_13>/,/<\/PG_GE_13>/d' \
+		-e '/<PG_GE_14>/,/<\/PG_GE_14>/d' \
+		$? > $@
+else ifeq ($(PG_GE14), 0)
+	sed \
+		-e '/<\/\?PG_GE_14>/d' \
+		-e '/<PG_GE_13>/,/<\/PG_GE_13>/d' \
+		-e '/<PG_GE_16>/,/<\/PG_GE_16>/d' \
+		$? > $@
+else
+	sed \
+		-e '/<\/\?PG_GE_13>/d' \
+		-e '/<PG_GE_14>/,/<\/PG_GE_14>/d' \
+		-e '/<PG_GE_16>/,/<\/PG_GE_16>/d' \
+		$? > $@
+endif
+
+# extra dep for target in pgxs.mk
+installcheck: $(GENERATED_OUT)
+

test/expected/event_triggers.out renamed to test/expected/event_triggers.out.in

@@ -12,7 +12,7 @@ create or replace function become_super()
 $$
 begin
     raise notice 'transforming % to superuser', current_user;
-    alter role current_user superuser;
+    alter role rolecreator superuser;
 end;
 $$;
 grant all on schema public to privileged_role;
@@ -80,6 +80,28 @@ select count(*) = 1 as only_one_super from pg_roles where rolsuper;
  t
 (1 row)
 
+-- privesc won't happen because the event trigger function will fire with the privileges
+-- of the current role (this is pg default behavior)
+set role rolecreator;
+\echo
+
+create table dummy();
+NOTICE:  the event trigger is executed for rolecreator
+NOTICE:  transforming rolecreator to superuser
+<PG_GE_16>
+ERROR:  permission denied to alter role
+DETAIL:  Only roles with the SUPERUSER attribute may change the SUPERUSER attribute.
+</PG_GE_16>
+<PG_GE_14>
+ERROR:  must be superuser to alter superuser roles or change superuser attribute
+</PG_GE_14>
+<PG_GE_13>
+ERROR:  must be superuser to alter superusers
+</PG_GE_13>
+CONTEXT:  SQL statement "alter role rolecreator superuser"
+PL/pgSQL function become_super() line 4 at SQL statement
+\echo
+
 -- limitation: create extension won't fire event triggers due to implementation details (we switch to superuser temporarily to create them and we don't fire evtrigs for superusers)
 set role rolecreator;
 \echo

test/sql/event_triggers.sql

@@ -13,7 +13,7 @@ create or replace function become_super()
 $$
 begin
     raise notice 'transforming % to superuser', current_user;
-    alter role current_user superuser;
+    alter role rolecreator superuser;
 end;
 $$;
 
@@ -74,6 +74,14 @@ execute procedure become_super();
 create table super_duper_stuff();
 select count(*) = 1 as only_one_super from pg_roles where rolsuper;
 
+-- privesc won't happen because the event trigger function will fire with the privileges
+-- of the current role (this is pg default behavior)
+set role rolecreator;
+\echo
+
+create table dummy();
+\echo
+
 -- limitation: create extension won't fire event triggers due to implementation details (we switch to superuser temporarily to create them and we don't fire evtrigs for superusers)
 set role rolecreator;
 \echo