From 34704e7ec588f89ae500a800ad84ec717761dd21 Mon Sep 17 00:00:00 2001
From: Konstantin Osipov <kostja@tarantool.org>
Date: Thu, 18 Dec 2014 00:37:08 +0300
Subject: [PATCH] Add a few more tests for roles.

Check ER_GRANT error.

Check distinct sources of privileges.
---
 test/box/role.result   | 92 ++++++++++++++++++++++++++++++++++++++----
 test/box/role.test.lua | 45 +++++++++++++++++----
 2 files changed, 123 insertions(+), 14 deletions(-)

diff --git a/test/box/role.result b/test/box/role.result
index 310edbaabf..825d028db6 100644
--- a/test/box/role.result
+++ b/test/box/role.result
@@ -334,7 +334,7 @@ box.schema.role.grant("role2", "role10")
 ...
 --
 -- test grant propagation
--- 
+--
 box.schema.role.grant("role1", "read", "universe")
 ---
 ...
@@ -600,7 +600,7 @@ box.schema.role.drop("role9")
 box.schema.role.drop("role10")
 ---
 ...
--- 
+--
 -- only the creator of the role can grant it (or a superuser)
 -- There is no grant option.
 -- the same applies for privileges
@@ -663,18 +663,18 @@ box.schema.role.grant('grantee', 'read', 'space', 'test')
 ...
 --
 -- granting 'public' is however an exception - everyone
--- can grant 'public' role, it's implicitly granted with 
+-- can grant 'public' role, it's implicitly granted with
 -- a grant option.
--- 
+--
 box.schema.role.grant('grantee', 'public')
 ---
 - error: User 'grantee' already has role 'public'
 ...
--- 
--- revoking role 'public' is another deal - only the 
+--
+-- revoking role 'public' is another deal - only the
 -- superuser can do that, and even that would be useless,
 -- since one can still re-grant it back to oneself.
--- 
+--
 box.schema.role.revoke('grantee', 'public')
 ---
 - error: Create or drop access denied for user 'john'
@@ -697,3 +697,81 @@ box.schema.role.drop('role')
 box.space.test:drop()
 ---
 ...
+--
+-- grant a privilege through a role, but
+-- the user has another privilege either granted
+-- natively (one case) or via another role.
+-- Check that privileges actually OR, but
+-- not replace each other.
+--
+_ = box.schema.space.create('test')
+---
+...
+_ = box.space.test:create_index('primary')
+---
+...
+box.schema.user.create('john')
+---
+...
+box.schema.user.grant('john', 'read', 'space', 'test')
+---
+...
+box.session.su('john')
+---
+...
+box.space.test:select{}
+---
+- []
+...
+box.space.test:insert{1}
+---
+- error: Write access denied for user 'john' to space 'test'
+...
+box.session.su('admin')
+---
+...
+box.schema.role.grant('public', 'write', 'space', 'test')
+---
+...
+box.session.su('john')
+---
+...
+box.space.test:select{}
+---
+- []
+...
+box.space.test:insert{2}
+---
+- [2]
+...
+box.session.su('admin')
+---
+...
+box.schema.role.revoke('public', 'write', 'space', 'test')
+---
+...
+box.session.su('john')
+---
+...
+box.space.test:select{}
+---
+- - [2]
+...
+box.space.test:insert{1}
+---
+- error: Write access denied for user 'john' to space 'test'
+...
+box.session.su('admin')
+---
+...
+box.space.test:drop()
+---
+...
+box.schema.user.drop('john')
+---
+...
+-- test ER_GRANT
+box.space._priv:insert{1, 0, 'universe', 0, 0}
+---
+- error: 'Incorrect grant arguments: the grant tuple has no privileges'
+...
diff --git a/test/box/role.test.lua b/test/box/role.test.lua
index 14acba2421..9ead772c23 100644
--- a/test/box/role.test.lua
+++ b/test/box/role.test.lua
@@ -119,7 +119,7 @@ box.schema.role.grant("role2", "role10")
 
 --
 -- test grant propagation
--- 
+--
 box.schema.role.grant("role1", "read", "universe")
 box.session.su("user")
 box.space._space.index.name:get{"_space"}[3]
@@ -228,7 +228,7 @@ box.schema.role.drop("role9")
 box.schema.role.drop("role10")
 
 
--- 
+--
 -- only the creator of the role can grant it (or a superuser)
 -- There is no grant option.
 -- the same applies for privileges
@@ -255,15 +255,15 @@ box.schema.role.grant('grantee', 'role')
 box.schema.role.grant('grantee', 'read', 'space', 'test')
 --
 -- granting 'public' is however an exception - everyone
--- can grant 'public' role, it's implicitly granted with 
+-- can grant 'public' role, it's implicitly granted with
 -- a grant option.
--- 
+--
 box.schema.role.grant('grantee', 'public')
--- 
--- revoking role 'public' is another deal - only the 
+--
+-- revoking role 'public' is another deal - only the
 -- superuser can do that, and even that would be useless,
 -- since one can still re-grant it back to oneself.
--- 
+--
 box.schema.role.revoke('grantee', 'public')
 
 box.session.su('admin')
@@ -272,3 +272,34 @@ box.schema.user.drop('user')
 box.schema.user.drop('grantee')
 box.schema.role.drop('role')
 box.space.test:drop()
+
+--
+-- grant a privilege through a role, but
+-- the user has another privilege either granted
+-- natively (one case) or via another role.
+-- Check that privileges actually OR, but
+-- not replace each other.
+--
+_ = box.schema.space.create('test')
+_ = box.space.test:create_index('primary')
+box.schema.user.create('john')
+box.schema.user.grant('john', 'read', 'space', 'test')
+box.session.su('john')
+box.space.test:select{}
+box.space.test:insert{1}
+box.session.su('admin')
+box.schema.role.grant('public', 'write', 'space', 'test')
+box.session.su('john')
+box.space.test:select{}
+box.space.test:insert{2}
+box.session.su('admin')
+box.schema.role.revoke('public', 'write', 'space', 'test')
+box.session.su('john')
+box.space.test:select{}
+box.space.test:insert{1}
+box.session.su('admin')
+box.space.test:drop()
+box.schema.user.drop('john')
+
+-- test ER_GRANT
+box.space._priv:insert{1, 0, 'universe', 0, 0}
-- 
GitLab