Is there a way to test security permissions in tSQLt?
Currently I am trying to test an accounts security and the results return from tSQLt are not what I am expecting. I am expecting on error that the account does not have permissions, but it appears that the "test" is using my account permissions and succeeding.
EXEC tSQLt.NewTestClass @ClassName = N'TestSecurity' -- nvarchar(max)
go
CREATE PROCEDURE TestSecurity.[test execute as security]
AS
BEGIN
EXECUTE AS USER = 'account3'
SELECT *
FROM dbo.User AS u
REVERT
END
GO
CREATE PROCEDURE TestSecurity.[test security on WebUser]
AS
BEGIN
EXECUTE AS USER = 'account3'
SELECT *
FROM dbo.WebUser AS wu
REVERT
END
GO
EXEC tSQLt.Run
@TestName = N'TestSecurity'
--,@TestResultFormatter = N'' -- nvarchar(max)
Results are two table results printed and 2 successful tests:
(1 row affected)
+----------------------+
|Test Execution Summary|
+----------------------+ '
|No|Test Case Name |Dur(ms)|Result |
+--+-----------------------------------------+-------+-------+
|1 |[TestSecurity].[test execute as security]| 257|Success|
|2 |[TestSecurity].[test security on SecUser]| 27|Success|
-----------------------------------------------------------------------------
Test Case Summary: 2 test case(s) executed, 2 succeeded, 0 failed, 0 errored.
-----------------------------------------------------------------------------
When is reality the dbo.User table should have failed and the WebUser table should succeed? I expect an error but I get results back?
The error I expect to get back should look like
-- run
EXECUTE AS USER = 'account3'
SELECT * FROM dbo.WebUser AS wu
-- returns
Msg 229, Level 14, State 5, Line 4
The SELECT permission was denied on the object 'WebUser', database '...', schema '...'.
I understand I should add tSQLt.ExpectException, but it is not even throwing an exception there are results coming back. I was trying to figure out how it is executing right now and then add the tSQLt Exception check. There is no security to return results so I am confused.
Update 1 Executing
CREATE PROCEDURE TestSecurity.[test execute as security]
AS
BEGIN
EXECUTE AS USER = 'account3'
-- EDIT
SELECT *
FROM sys.user_token AS ut
SELECT *
FROM dbo.User AS u
REVERT
END
GO
Returns
name type usage
account3 SQL USER GRANT OR DENY
public ROLE GRANT OR DENY
db_securitycheck ROLE GRANT OR DENY
db_executor ROLE GRANT OR DENY
db_webexecutor ROLE GRANT OR DENY
dbo SQL USER AUTHENTICATOR
db_owner ROLE AUTHENTICATOR
Which kinda of makes sense except db_owner which are my permissions not the account3 permissions.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://i.stack.imgur.com/mgPMy.png', '推荐 冷血范 的文章《tSQLt Testing SQL Server security permissions》','https://www.manongdao.com/article-1376633.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}