From 8cf2e1310e272b4b57efdefc189fa16d62b0e212 Mon Sep 17 00:00:00 2001
From: Jared Bunting <jared.bunting@trillianthealth.com>
Date: Wed, 18 Oct 2023 13:06:05 -0400
Subject: [PATCH] Add SECURITY LABEL provider to acceptance test postgres db.

---
 tests/build/Dockerfile                        |  6 ++
 tests/build/dummy_seclabel/Makefile           | 13 ++++
 .../dummy_seclabel/dummy_seclabel--1.0.sql    |  8 +++
 tests/build/dummy_seclabel/dummy_seclabel.c   | 60 +++++++++++++++++++
 .../dummy_seclabel/dummy_seclabel.control     |  4 ++
 tests/docker-compose.yml                      |  5 +-
 6 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 tests/build/Dockerfile
 create mode 100644 tests/build/dummy_seclabel/Makefile
 create mode 100644 tests/build/dummy_seclabel/dummy_seclabel--1.0.sql
 create mode 100644 tests/build/dummy_seclabel/dummy_seclabel.c
 create mode 100644 tests/build/dummy_seclabel/dummy_seclabel.control

diff --git a/tests/build/Dockerfile b/tests/build/Dockerfile
new file mode 100644
index 00000000..e132f836
--- /dev/null
+++ b/tests/build/Dockerfile
@@ -0,0 +1,6 @@
+FROM postgres:${PGVERSION:-latest}
+
+RUN apt-get update && apt-get install -y build-essential postgresql-server-dev-all
+COPY dummy_seclabel /opt/dummy_seclabel
+WORKDIR /opt/dummy_seclabel
+RUN make
diff --git a/tests/build/dummy_seclabel/Makefile b/tests/build/dummy_seclabel/Makefile
new file mode 100644
index 00000000..3447a688
--- /dev/null
+++ b/tests/build/dummy_seclabel/Makefile
@@ -0,0 +1,13 @@
+# src/test/modules/dummy_seclabel/Makefile
+
+MODULES = dummy_seclabel
+PGFILEDESC = "dummy_seclabel - regression testing of the SECURITY LABEL statement"
+
+EXTENSION = dummy_seclabel
+DATA = dummy_seclabel--1.0.sql
+
+REGRESS = dummy_seclabel
+
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
diff --git a/tests/build/dummy_seclabel/dummy_seclabel--1.0.sql b/tests/build/dummy_seclabel/dummy_seclabel--1.0.sql
new file mode 100644
index 00000000..5939e930
--- /dev/null
+++ b/tests/build/dummy_seclabel/dummy_seclabel--1.0.sql
@@ -0,0 +1,8 @@
+/* src/test/modules/dummy_seclabel/dummy_seclabel--1.0.sql */
+
+-- complain if script is sourced in psql, rather than via CREATE EXTENSION
+\echo Use "CREATE EXTENSION dummy_seclabel" to load this file. \quit
+
+CREATE FUNCTION dummy_seclabel_dummy()
+    RETURNS pg_catalog.void
+AS 'MODULE_PATHNAME' LANGUAGE C;
diff --git a/tests/build/dummy_seclabel/dummy_seclabel.c b/tests/build/dummy_seclabel/dummy_seclabel.c
new file mode 100644
index 00000000..fea8d679
--- /dev/null
+++ b/tests/build/dummy_seclabel/dummy_seclabel.c
@@ -0,0 +1,60 @@
+/*
+ * dummy_seclabel.c
+ *
+ * Dummy security label provider.
+ *
+ * This module does not provide anything worthwhile from a security
+ * perspective, but allows regression testing independent of platform-specific
+ * features like SELinux.
+ *
+ * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ */
+#include "postgres.h"
+
+#include "commands/seclabel.h"
+#include "fmgr.h"
+#include "miscadmin.h"
+#include "utils/rel.h"
+
+PG_MODULE_MAGIC;
+
+PG_FUNCTION_INFO_V1(dummy_seclabel_dummy);
+
+static void
+dummy_object_relabel(const ObjectAddress *object, const char *seclabel)
+{
+	if (seclabel == NULL ||
+		strcmp(seclabel, "unclassified") == 0 ||
+		strcmp(seclabel, "classified") == 0)
+		return;
+
+	if (strcmp(seclabel, "secret") == 0 ||
+		strcmp(seclabel, "top secret") == 0)
+	{
+		if (!superuser())
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("only superuser can set '%s' label", seclabel)));
+		return;
+	}
+	ereport(ERROR,
+			(errcode(ERRCODE_INVALID_NAME),
+			 errmsg("'%s' is not a valid security label", seclabel)));
+}
+
+void
+_PG_init(void)
+{
+	register_label_provider("dummy", dummy_object_relabel);
+}
+
+/*
+ * This function is here just so that the extension is not completely empty
+ * and the dynamic library is loaded when CREATE EXTENSION runs.
+ */
+Datum
+dummy_seclabel_dummy(PG_FUNCTION_ARGS)
+{
+	PG_RETURN_VOID();
+}
diff --git a/tests/build/dummy_seclabel/dummy_seclabel.control b/tests/build/dummy_seclabel/dummy_seclabel.control
new file mode 100644
index 00000000..8c372728
--- /dev/null
+++ b/tests/build/dummy_seclabel/dummy_seclabel.control
@@ -0,0 +1,4 @@
+comment = 'Test code for SECURITY LABEL feature'
+default_version = '1.0'
+module_pathname = '$libdir/dummy_seclabel'
+relocatable = true
diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml
index 177994bf..6c212946 100644
--- a/tests/docker-compose.yml
+++ b/tests/docker-compose.yml
@@ -2,7 +2,8 @@ version: "3"
 
 services:
     postgres:
-        image: postgres:${PGVERSION:-latest}
+        build: build
+#        image: postgres:${PGVERSION:-latest}
         user: postgres
         command:
           - "postgres"
@@ -10,6 +11,8 @@ services:
           - "wal_level=logical"
           - "-c"
           - "max_replication_slots=10"
+          - "-c"
+          - "shared_preload_libraries=/opt/dummy_seclabel/dummy_seclabel"
         environment:
             POSTGRES_PASSWORD: ${PGPASSWORD}
         ports: