-- This test cannot be run in a single transcation
-- This test must be run on a database named 'contrib_regression'
CREATE EXTENSION IF NOT EXISTS anon CASCADE;
-- INIT
SELECT anon.mask_init();
 mask_init 
-----------
 t
(1 row)

SELECT anon.mask_init('public','foo');
NOTICE:  schema "foo" already exists, skipping
 mask_init 
-----------
 t
(1 row)

SELECT anon.start_dynamic_masking();
NOTICE:  schema "mask" already exists, skipping
 start_dynamic_masking 
-----------------------
 t
(1 row)

SELECT anon.start_dynamic_masking('public','foo');
NOTICE:  schema "foo" already exists, skipping
 start_dynamic_masking 
-----------------------
 t
(1 row)

CREATE TABLE t1 (
  id SERIAL,
  name TEXT,
  "CreditCard" TEXT
--  fk_company INTEGER
);
INSERT INTO t1
VALUES (1,'Schwarzenegger','1234567812345678');
-- Check old syntax
COMMENT ON COLUMN t1.name
IS '    MASKED WITH FUNCTION anon.random_last_name() ';
COMMENT ON COLUMN t1."CreditCard"
IS 'dfkjdsiv MASKED    WITH    FUNCTION         anon.random_string(12)';
CREATE TABLE "T2" (
  rn SERIAL,
  "IBAN" TEXT,
  COMPANY TEXT
);
INSERT INTO "T2"
VALUES (1991,'12345677890','Cyberdyne Systems');
-- New syntax
SECURITY LABEL FOR anon
ON COLUMN  "T2"."IBAN"
IS 'MASKED WITH FUNCTION anon.random_iban()';
SECURITY LABEL FOR anon
ON COLUMN "T2".COMPANY
IS 'MASKED WITH FUNCTION anon.random_company() jenfk snvi  jdvjs';
SELECT count(*) = 4  FROM anon.pg_masking_rules;
 ?column? 
----------
 t
(1 row)

SELECT masking_function = 'anon.random_iban()'
FROM anon.pg_masking_rules
WHERE attname = 'IBAN';
 ?column? 
----------
 t
(1 row)

--
SELECT company != 'Cyberdyne Systems' FROM foo."T2" WHERE rn=1991;
 ?column? 
----------
 t
(1 row)

SELECT name != 'Schwarzenegger' FROM foo.t1 WHERE id = 1;
 ?column? 
----------
 t
(1 row)

-- ROLE
CREATE ROLE skynet LOGIN;
SECURITY LABEL FOR anon ON ROLE skynet IS 'MASKED';
SELECT anon.mask_update();
 mask_update 
-------------
 t
(1 row)

CREATE ROLE hal LOGIN;
COMMENT ON ROLE hal IS 'MASKED';
SELECT anon.mask_update();
 mask_update 
-------------
 t
(1 row)

-- search_path must be 'foo,public'
\! psql contrib_regression -U skynet -c 'SHOW search_path;'
 search_path 
-------------
 foo, public
(1 row)

-- search_path must be 'foo,public'
\! psql contrib_regression -U hal -c 'SHOW search_path;'
 search_path 
-------------
 foo, public
(1 row)

-- Disabling this test, because the error message has changed between PG10 and PG11
-- This test should fail anyway, the skynet role is not allowed to access the t1 table
--\! psql contrib_regression -U skynet -c "SELECT * FROM public.t1;"
\! psql contrib_regression -U skynet -c "SELECT name != 'Schwarzenegger' FROM t1 WHERE id = 1;"
 ?column? 
----------
 t
(1 row)

\! psql contrib_regression -U skynet -c "SELECT company != 'Cyberdyne Systems' FROM \"T2\" WHERE rn=1991;"
 ?column? 
----------
 t
(1 row)

-- STOP
SELECT anon.stop_dynamic_masking();
NOTICE:  The previous priviledges of 'skynet' are not restored. You need to grant them manually.
NOTICE:  The previous priviledges of 'hal' are not restored. You need to grant them manually.
 stop_dynamic_masking 
----------------------
 t
(1 row)

--  CLEAN
DROP TABLE "T2" CASCADE;
DROP TABLE t1 CASCADE;
DROP EXTENSION anon CASCADE;
REASSIGN OWNED BY skynet TO postgres;
DROP OWNED BY skynet CASCADE;
DROP ROLE skynet;
REASSIGN OWNED BY hal TO postgres;
DROP OWNED BY hal CASCADE;
DROP ROLE hal;