BEGIN;
CREATE EXTENSION anon CASCADE;
NOTICE:  installing required extension "pgcrypto"
SELECT anon.init();
 init 
------
 t
(1 row)

CREATE ROLE mallory_the_masked_user;
SECURITY LABEL FOR anon ON ROLE mallory_the_masked_user IS 'MASKED';
CREATE TABLE t1(i INT);
ALTER TABLE t1 ADD COLUMN t TEXT;
SECURITY LABEL FOR anon ON COLUMN t1.t
IS 'MASKED WITH VALUE NULL';
INSERT INTO t1 VALUES (1,'test');
--
-- We're checking the owner's permissions
--
-- see
-- https://postgresql-anonymizer.readthedocs.io/en/latest/SECURITY/#permissions
--
SET ROLE mallory_the_masked_user;
SELECT anon.pseudo_first_name(0) IS NOT NULL;
 ?column? 
----------
 t
(1 row)

-- SHOULD FAIL
DO $$
BEGIN
  PERFORM anon.init();
  EXCEPTION WHEN insufficient_privilege
  THEN RAISE NOTICE 'insufficient_privilege';
END$$;
NOTICE:  insufficient_privilege
-- SHOULD FAIL
DO $$
BEGIN
  PERFORM anon.anonymize_table('t1');
  EXCEPTION WHEN insufficient_privilege
  THEN RAISE NOTICE 'insufficient_privilege';
END$$;
NOTICE:  insufficient_privilege
-- SHOULD FAIL
SAVEPOINT fail_start_engine;
SELECT anon.start_dynamic_masking();
ERROR:  Only supersusers can start the dynamic masking engine.
CONTEXT:  PL/pgSQL function anon.start_dynamic_masking(boolean) line 8 at RAISE
ROLLBACK TO fail_start_engine;
RESET ROLE;
SELECT anon.start_dynamic_masking();
 start_dynamic_masking 
-----------------------
 t
(1 row)

SET ROLE mallory_the_masked_user;
SELECT * FROM mask.t1;
 i | t 
---+---
 1 | 
(1 row)

-- SHOULD FAIL
DO $$
BEGIN
  SELECT * FROM public.t1;
  EXCEPTION WHEN insufficient_privilege
  THEN RAISE NOTICE 'insufficient_privilege';
END$$;
NOTICE:  insufficient_privilege
-- SHOULD FAIL
SAVEPOINT fail_stop_engine;
SELECT anon.stop_dynamic_masking();
ERROR:  Only supersusers can stop the dynamic masking engine.
CONTEXT:  PL/pgSQL function anon.stop_dynamic_masking() line 8 at RAISE
ROLLBACK TO fail_stop_engine;
RESET ROLE;
SELECT anon.stop_dynamic_masking();
NOTICE:  The previous priviledges of 'mallory_the_masked_user' are not restored. You need to grant them manually.
 stop_dynamic_masking 
----------------------
 t
(1 row)

SET ROLE mallory_the_masked_user;
SELECT COUNT(*)=1 FROM anon.pg_masking_rules;
 ?column? 
----------
 t
(1 row)

-- SHOULD FAIL
SAVEPOINT fail_seclabel_on_role;
SECURITY LABEL FOR anon ON ROLE mallory_the_masked_user IS NULL;
ERROR:  must have CREATEROLE privilege
ROLLBACK TO fail_seclabel_on_role;
ROLLBACK;