From 21e2d6ee91c334c384aed5543797892b8ce54b0a Mon Sep 17 00:00:00 2001
From: ANJU BHARTI <abanju@dev-dsk-abanju-1c-ea0b53a0.eu-west-1.amazon.com>
Date: Fri, 20 Dec 2024 04:26:57 +0000
Subject: [PATCH] Do not allow predefined server roles to be members of each
 other

Signed-off-by: ANJU BHARTI <abanju@dev-dsk-abanju-1c-ea0b53a0.eu-west-1.amazon.com>
---
 contrib/babelfishpg_tsql/src/rolecmds.c       |  6 +++
 .../expected/dbcreator_role-vu-verify.out     | 43 +++++++++++++++++++
 .../single_db/dbcreator_role-vu-verify.out    | 43 +++++++++++++++++++
 test/JDBC/input/dbcreator_role-vu-verify.mix  | 19 ++++++++
 4 files changed, 111 insertions(+)

diff --git a/contrib/babelfishpg_tsql/src/rolecmds.c b/contrib/babelfishpg_tsql/src/rolecmds.c
index 90c6120c9c..4e3fb8d92c 100644
--- a/contrib/babelfishpg_tsql/src/rolecmds.c
+++ b/contrib/babelfishpg_tsql/src/rolecmds.c
@@ -1946,6 +1946,12 @@ check_alter_server_stmt(GrantRoleStmt *stmt)
 				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
 				 errmsg("'sysadmin' role cannot be granted to login: a user is already created in database '%s'", db_name)));
 
+	/* Forbidden the use of fixed server principals as grantee*/
+	if (IS_BBF_FIXED_SERVER_ROLE(grantee_name))
+		ereport(ERROR,
+				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+					errmsg("Cannot use the special principal '%s'", grantee_name)));
+
 	/*
 	 * could not drop the last member of sysadmin excluding bbf_role_admin,
 	 * which always needs to be its member.
diff --git a/test/JDBC/expected/dbcreator_role-vu-verify.out b/test/JDBC/expected/dbcreator_role-vu-verify.out
index cd3efe781a..f85378386f 100644
--- a/test/JDBC/expected/dbcreator_role-vu-verify.out
+++ b/test/JDBC/expected/dbcreator_role-vu-verify.out
@@ -565,6 +565,49 @@ go
 create role dummy_role
 go
 
+-- Do not allow predefined server roles to be members of each other
+Alter server role sysadmin add member securityadmin
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: Cannot use the special principal 'securityadmin')~~
+
+
+Alter server role sysadmin add member dbcreator
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: Cannot use the special principal 'dbcreator')~~
+
+
+Alter server role securityadmin add member dbcreator
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: Cannot use the special principal 'dbcreator')~~
+
+
+Alter server role securityadmin add member securityadmin
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: Cannot use the special principal 'securityadmin')~~
+
+
+Alter server role dbcreator add member securityadmin
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: Cannot use the special principal 'securityadmin')~~
+
+
+Alter server role dbcreator add member dbcreator
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: Cannot use the special principal 'dbcreator')~~
+
+
 -- terminate-tsql-conn
 
 -- tsql user=dbcreator_login1 password=123
diff --git a/test/JDBC/expected/single_db/dbcreator_role-vu-verify.out b/test/JDBC/expected/single_db/dbcreator_role-vu-verify.out
index 00b27faa19..dc25ca11b7 100644
--- a/test/JDBC/expected/single_db/dbcreator_role-vu-verify.out
+++ b/test/JDBC/expected/single_db/dbcreator_role-vu-verify.out
@@ -564,6 +564,49 @@ go
 create role dummy_role
 go
 
+-- Do not allow predefined server roles to be members of each other
+Alter server role sysadmin add member securityadmin
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: Cannot use the special principal 'securityadmin')~~
+
+
+Alter server role sysadmin add member dbcreator
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: Cannot use the special principal 'dbcreator')~~
+
+
+Alter server role securityadmin add member dbcreator
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: Cannot use the special principal 'dbcreator')~~
+
+
+Alter server role securityadmin add member securityadmin
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: Cannot use the special principal 'securityadmin')~~
+
+
+Alter server role dbcreator add member securityadmin
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: Cannot use the special principal 'securityadmin')~~
+
+
+Alter server role dbcreator add member dbcreator
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: Cannot use the special principal 'dbcreator')~~
+
+
 -- terminate-tsql-conn
 
 -- tsql user=dbcreator_login1 password=123
diff --git a/test/JDBC/input/dbcreator_role-vu-verify.mix b/test/JDBC/input/dbcreator_role-vu-verify.mix
index bc22a67466..ea24665acb 100644
--- a/test/JDBC/input/dbcreator_role-vu-verify.mix
+++ b/test/JDBC/input/dbcreator_role-vu-verify.mix
@@ -398,6 +398,25 @@ go
 create role dummy_role
 go
 
+-- Do not allow predefined server roles to be members of each other
+Alter server role sysadmin add member securityadmin
+go
+
+Alter server role sysadmin add member dbcreator
+go
+
+Alter server role securityadmin add member dbcreator
+go
+
+Alter server role securityadmin add member securityadmin
+go
+
+Alter server role dbcreator add member securityadmin
+go
+
+Alter server role dbcreator add member dbcreator
+go
+
 -- terminate-tsql-conn
 
 -- tsql user=dbcreator_login1 password=123