-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathsecurity.sql
58 lines (50 loc) · 1.56 KB
/
security.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
\set ECHO none
\pset format unaligned
SET search_path TO provsql_test,provsql;
/* The security semiring */
CREATE FUNCTION security_min_state(state classification_level, level classification_level)
RETURNS classification_level AS
$$
SELECT CASE WHEN state IS NULL THEN level WHEN state<level THEN state ELSE level END
$$ LANGUAGE SQL IMMUTABLE;
CREATE FUNCTION security_max_state(state classification_level, level classification_level)
RETURNS classification_level AS
$$
SELECT CASE WHEN state IS NULL THEN level WHEN state<level THEN level ELSE state END
$$ LANGUAGE SQL IMMUTABLE;
CREATE AGGREGATE security_min(classification_level)
(
sfunc = security_min_state,
stype = classification_level,
initcond = 'top_secret'
);
CREATE AGGREGATE security_max(classification_level)
(
sfunc = security_max_state,
stype = classification_level,
initcond = 'unclassified'
);
CREATE FUNCTION security(token UUID, token2value regclass)
RETURNS classification_level AS
$$
BEGIN
RETURN provenance_evaluate(
token,
token2value,
'unclassified'::classification_level,
'security_min',
'security_max');
END
$$ LANGUAGE plpgsql PARALLEL SAFE;
/* Example of provenance evaluation */
SELECT create_provenance_mapping('personnel_level', 'personnel', 'classification');
CREATE TABLE result_security AS SELECT
p1.city,
security(provenance(),'personnel_level')
FROM personnel p1, personnel p2
WHERE p1.city = p2.city AND p1.id < p2.id
GROUP BY p1.city
ORDER BY p1.city;
SELECT remove_provenance('result_security');
SELECT * FROM result_security;
DROP TABLE result_security;