-- ========================================== -- 05: TEST ROW-LEVEL SECURITY (OPTIONAL) -- ========================================== -- This script tests RLS functionality -- Comment out this file in production! -- Runs as: postgres (superuser) \echo '' \echo 'โš ๏ธ WARNING: This is a test script!' \echo 'โš ๏ธ Remove or comment out for production!' \echo '' \echo '๐Ÿงช Testing Row-Level Security...' -- ========================================== -- Connect to development database -- ========================================== \c aurganize_dev -- ========================================== -- CREATE TEST TABLE -- ========================================== \echo '' \echo '๐Ÿ“‹ Creating test table...' DROP TABLE IF EXISTS rls_test CASCADE; CREATE TABLE rls_test ( id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), tenant_id UUID NOT NULL, data TEXT ); \echo ' โœ… Table rls_test created' -- ========================================== -- APPLY RLS POLICY -- ========================================== \echo '' \echo '๐Ÿ”’ Applying RLS policy...' SELECT create_tenant_isolation_policy('rls_test'); \echo ' โœ… RLS policy applied' -- ========================================== -- INSERT TEST DATA -- ========================================== \echo '' \echo '๐Ÿ“ Inserting test data...' INSERT INTO rls_test (tenant_id, data) VALUES ('550e8400-e29b-41d4-a716-446655440000', 'Tenant A - Record 1'), ('550e8400-e29b-41d4-a716-446655440000', 'Tenant A - Record 2'), ('660e8400-e29b-41d4-a716-446655440001', 'Tenant B - Record 1'), ('660e8400-e29b-41d4-a716-446655440001', 'Tenant B - Record 2'); \echo ' โœ… Inserted 4 records (2 per tenant)' -- ========================================== -- TEST AS SUPERUSER (Should see all) -- ========================================== \echo '' \echo '๐Ÿ‘‘ Testing as superuser (should see ALL records)...' SELECT COUNT(*) AS total_records FROM rls_test; \echo '' -- ========================================== -- TEST AS APPLICATION USER -- ========================================== \echo '' \echo '๐Ÿ‘ค Testing as application user...' \echo '' -- Reconnect as application user \c aurganize_dev aurganize_backend_api -- ========================================== -- TEST 1: Set Tenant A Context -- ========================================== \echo '๐Ÿ”ง Test 1: Setting Tenant A context...' SELECT set_tenant_context('550e8400-e29b-41d4-a716-446655440000'::UUID); \echo '๐Ÿ“Š Querying (should see 2 Tenant A records only):' SELECT id, tenant_id, data FROM rls_test ORDER BY data; \echo '' -- Verify current tenant \echo '๐Ÿ” Current tenant:' SELECT get_current_tenant() AS current_tenant; \echo '' -- ========================================== -- TEST 2: Switch to Tenant B -- ========================================== \echo '๐Ÿ”ง Test 2: Switching to Tenant B context...' SELECT set_tenant_context('660e8400-e29b-41d4-a716-446655440001'::UUID); \echo '๐Ÿ“Š Querying (should see 2 Tenant B records only):' SELECT id, tenant_id, data FROM rls_test ORDER BY data; \echo '' -- ========================================== -- TEST 3: Try to Insert with Wrong Tenant ID -- ========================================== \echo '๐Ÿงช Test 3: Attempting to insert with WRONG tenant_id (should FAIL)...' DO $$ BEGIN INSERT INTO rls_test (tenant_id, data) VALUES ('550e8400-e29b-41d4-a716-446655440000', 'Hacked!'); RAISE EXCEPTION 'ERROR: Insert succeeded when it should have failed!'; EXCEPTION WHEN others THEN IF SQLERRM LIKE '%violates row-level security policy%' THEN RAISE NOTICE ' โœ… PASS: Insert correctly blocked by RLS'; ELSE RAISE NOTICE ' โŒ FAIL: Unexpected error: %', SQLERRM; END IF; END; $$; \echo '' -- ========================================== -- TEST 4: Insert with Correct Tenant ID -- ========================================== \echo '๐Ÿงช Test 4: Inserting with CORRECT tenant_id (should SUCCEED)...' INSERT INTO rls_test (tenant_id, data) VALUES ('660e8400-e29b-41d4-a716-446655440001', 'Valid insert'); \echo ' โœ… PASS: Insert succeeded' \echo '' \echo '๐Ÿ“Š Query again (should now see 3 Tenant B records):' SELECT id, tenant_id, data FROM rls_test ORDER BY data; \echo '' -- ========================================== -- TEST 5: Try to Update to Different Tenant -- ========================================== \echo '๐Ÿงช Test 5: Attempting to UPDATE to different tenant_id (should FAIL)...' DO $$ BEGIN UPDATE rls_test SET tenant_id = '550e8400-e29b-41d4-a716-446655440000' WHERE data = 'Valid insert'; RAISE EXCEPTION 'ERROR: Update succeeded when it should have failed!'; EXCEPTION WHEN others THEN IF SQLERRM LIKE '%violates row-level security policy%' THEN RAISE NOTICE ' โœ… PASS: Update correctly blocked by RLS'; ELSE RAISE NOTICE ' โŒ FAIL: Unexpected error: %', SQLERRM; END IF; END; $$; \echo '' -- ========================================== -- TEST 6: Try to See All Records -- ========================================== \echo '๐Ÿงช Test 6: Verifying data is still filtered...' \echo '๐Ÿ“Š Count (should still be 3 Tenant B records only):' SELECT COUNT(*) AS visible_records FROM rls_test; \echo '' -- ========================================== -- CLEANUP -- ========================================== \echo '๐Ÿงน Cleaning up...' -- Reconnect as superuser \c aurganize_dev postgres -- Drop test table DROP TABLE IF EXISTS rls_test CASCADE; \echo ' โœ… Test table dropped' -- ========================================== -- TEST SUMMARY -- ========================================== \echo '' \echo '==========================================' \echo 'โœ… RLS TESTING COMPLETE!' \echo '==========================================' \echo '' \echo 'Test Results:' \echo ' โœ… Tenant isolation works correctly' \echo ' โœ… Cannot insert with wrong tenant_id' \echo ' โœ… Can insert with correct tenant_id' \echo ' โœ… Cannot update to different tenant_id' \echo ' โœ… Queries are properly filtered' \echo '' \echo '๐Ÿ”’ Row-Level Security is functioning as expected!' \echo '' \echo 'โš ๏ธ REMINDER: Remove or comment out this test' \echo ' script for production deployment!' \echo ''