github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/cli/interactive_tests/test_audit_log.tcl

github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/cli/interactive_tests/test_audit_log.tcl (about)

     1  #! /usr/bin/env expect -f
     2  
     3  source [file join [file dirname $argv0] common.tcl]
     4  
     5  start_server $argv
     6  
     7  spawn $argv sql
     8  eexpect root@
     9  
    10  set logfile logs/db/logs/cockroach-sql-audit.log
    11  
    12  start_test "Check that the audit log is not created by default"
    13  system "if test -e $logfile; then false; fi"
    14  end_test
    15  
    16  start_test "Check that statements do not get logged to the audit log directly"
    17  send "CREATE DATABASE t; USE t; CREATE TABLE helloworld(abc INT); INSERT INTO helloworld VALUES (123);\r"
    18  eexpect root@
    19  system "if test -e $logfile; then false; fi"
    20  end_test
    21  
    22  start_test "Check that statements start being logged synchronously if auditing is enabled"
    23  send "ALTER TABLE helloworld EXPERIMENTAL_AUDIT SET READ WRITE;\r"
    24  eexpect root@
    25  # check that the audit change itself is recorded.
    26  system "grep -q 'helloworld.*:READWRITE.*ALTER TABLE.*OK' $logfile"
    27  send "SELECT * FROM helloworld;\r"
    28  eexpect root@
    29  system "grep -q 'helloworld.*:READ}.*SELECT.*OK' $logfile"
    30  end_test
    31  
    32  start_test "Check that write statements are logged differently"
    33  send "INSERT INTO helloworld VALUES(456);\r"
    34  eexpect root@
    35  system "grep -q 'helloworld.*:READWRITE.*INSERT.*OK' $logfile"
    36  end_test
    37  
    38  start_test "Check that errors get logged too"
    39  send "SELECT nonexistent FROM helloworld;\r"
    40  eexpect root@
    41  system "grep -q 'helloworld.*:READ}.*SELECT.*ERROR' $logfile"
    42  end_test
    43  
    44  # Flush and truncate the logs. The test below must not see the log entries that
    45  # were already generated above.
    46  flush_server_logs
    47  system "truncate -s0 $logfile"
    48  
    49  # Check the log indeed is empty
    50  system "if grep -q helloworld $logfile; then false; fi"
    51  
    52  start_test "Check that audit removal is logged too"
    53  send "ALTER TABLE helloworld EXPERIMENTAL_AUDIT SET OFF;\r"
    54  eexpect root@
    55  system "grep 'helloworld.*:READWRITE.*ALTER TABLE.*SET OFF.*OK' $logfile"
    56  end_test
    57  
    58  interrupt
    59  eexpect eof
    60  
    61  stop_server $argv
    62  
    63  start_test "Check that audit logging works even with a custom directory"
    64  # Start a server with a custom log
    65  system "$argv start-single-node --insecure --pid-file=server_pid --background -s=path=logs/db --sql-audit-dir=logs/db/audit-new >>logs/expect-cmd.log 2>&1;
    66          $argv sql --insecure -e 'select 1'"
    67  
    68  set logfile logs/db/audit-new/cockroach-sql-audit.log
    69  
    70  # Start a client and make a simple audit test.
    71  spawn $argv sql
    72  eexpect root@
    73  send "create database d; create table d.helloworld(x INT);\r"
    74  eexpect CREATE
    75  eexpect root@
    76  send "alter table d.helloworld EXPERIMENTAL_AUDIT SET READ WRITE;\r"
    77  eexpect "ALTER TABLE"
    78  eexpect root@
    79  send "select x from d.helloworld;\r"
    80  eexpect root@
    81  interrupt
    82  eexpect eof
    83  
    84  # Check the file was created and populated properly.
    85  system "grep -q helloworld $logfile"
    86  
    87  stop_server $argv
    88  end_test