alter user kmourgos
     grant connect through oes_as
     with role all except ordmgmt;


create profile lim_connect limit
    connect_time 120;


create profile lim_fail_login limit
    failed_login_attempts 8;


create profile lim_connectime_faillog limit
    connect_time 120
    failed_login_attempts 8;


create profile lim_reuse_pass limit
    password_reuse_time 20
    password_reuse_max 5;


CREATE OR REPLACE FUNCTION verify_function_11G
(username varchar2,
  password varchar2,
  old_password varchar2)
  RETURN boolean IS
   n boolean;
   m integer;
   differ integer;
   isdigit boolean;
   ischar  boolean;
   ispunct boolean;
   db_name varchar2(40);
   digitarray varchar2(20);
   punctarray varchar2(25);
   chararray varchar2(52);
   i_char varchar2(10);
   simple_password varchar2(10);
   reverse_user varchar2(32);

BEGIN
   digitarray:= '0123456789';
   chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
. . .
   -- Sprawdzenie, czy haso jest takie samo, jak odwrcona nazwa 
   -- uytkownika
   FOR i in REVERSE 1..length(username) LOOP
     reverse_user := reverse_user || substr(username, i, 1);
   END LOOP;
   IF NLS_LOWER(password) = NLS_LOWER(reverse_user) THEN
     raise_application_error(-20003, 'Haso identyczne, jak odwrcona nazwa uytkownika');
   END IF;
. . .
   -- Gdy wszystko jest w porzdku, zwracana jest warto TRUE ;
   RETURN(TRUE);
END;
/

-- Skrypt zmienia domylne parametry zwizane z zarzdzaniem hasami.
-- Oznacza to, e dla wszystkich uytkownikw systemu aktywne jest 
-- zarzdzanie hasami i ustawione ponisze wartoci (pod warunkiem, e
-- nie utworzono i przypisano uytkownikom innego profilu z parametrami 
-- o odmiennych wartociach lub wartoci UNLIMITED).

ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1 PASSWORD_VERIFY_FUNCTION verify_function_11G;


create or replace procedure process_orders (order_batch_date date)
authid current_user as
begin
    -- przetwarzanie tabeli ORDERS uytkownika z prawami uytkownika wywoujcego,
    -- obowizuj wszystkie role
end;


create context hr_security using vpd.emp_access;

create or replace package emp_access as
    procedure set_security_parameters;
end;


declare
    username varchar2(30);
    ip_addr varchar2(30);
begin
    username := SYS_CONTEXT('USERENV','SESSION_USER');
    ip_addr := SYS_CONTEXT('USERENV','IP_ADDRESS');
    -- dalsze instrukcje
end;


dbms_session.set_context('HR_SECURITY','SEC_LEVEL','HIGH');

create or replace trigger vpd.set_security_parameters
    after logon on database
begin
    vpd.emp_access.set_security_parameters;
end;


create or replace package body get_predicates is

    function emp_select_restrict(owner varchar2, object_name varchar2)
            return varchar2 is
        ret_predicate varchar2(1000); -- cz klauzuli WHERE
    begin
        -- pozwala na przegldanie wierszy tabeli tylko wybranym pracownikom
        -- . . . sprawdzenie zmiennych kontekstowych i utworzenie predykatu
        return ret_predicate;
    end emp_select_restrict;

function emp_dml_restrict(owner varchar2, object_name varchar2)
                return varchar2 is
        ret_predicate varchar2(1000); -- cz klauzuli WHERE
    begin
        -- pozwala na wprowadzanie zmian w tabeli tylko wybranym pracownikom
        -- . . . sprawdzenie zmiennych kontekstowych i utworzenie predykatu
        return ret_predicate;
    end emp_dml_restrict;

end; -- treci pakietu


DBMS_RLS.ADD_POLICY
(
    object_schema          IN varchar2 null,
    object_name            IN varchar2,
    policy_name            IN varchar2,
    function_schema        IN varchar2 null,
    policy_function        IN varchar2,
    statement_types        IN varchar2 null,
    update_check           IN boolean false,
    enable                 IN boolean true,
    static_policy          IN boolean false,
    policy_type            IN binary_integer null,
    long_predicate         IN in Boolean false,
    sec_relevant_cols      IN varchar2,
    sec_relevant_cols_opt  IN binary_integer null
);


dbms_rls.add_policy (
    object_schema =>   'HR',
    object_name =>     'EMPLOYEES',
    policy_name =>     'EMP_SELECT_RESTRICT',
    function_schema => 'VPD',
    policy_function => 'get_predicates.emp_select_restrict',
    statement_types => 'SELECT',
    update_check =>    TRUE,
    enable =>          TRUE
);


dbms_rls.enable_policy(
    object_schema => 'HR',
    object_name =>   'EMPLOYEES',
    policy_name =>   'EMP_SELECT_RESTRICT',
    enable =>        FALSE
);


create user smavris identified by smavris702;
grant connect, resource to smavris;

create user dgrant identified by dgrant507;
grant connect, resource to dgrant;

create user kmourgos identified by kmourgos622;
grant connect, resource to kmourgos;


grant select on hr.employees to public;

create table hr.emp_login_map (employee_id, login_acct)
    as select employee_id, email from hr.employees;

grant select on hr.emp_login_map to public;


create user vpd identified by vpd439;
grant connect, resource, create any context, create public synonym to vpd;


connect vpd/vpd439@dw;

create context hr_security using vpd.emp_access;

create or replace package vpd.emp_access as
    procedure set_security_parameters;
end;


create or replace package body vpd.emp_access is

--
-- Po zalogowaniu si uytkownika naley wykona set_security_parameters,
-- aby odczyta nazw uytkownika, odpowiadajc wartoci w kolumnie EMAIL
-- tabeli HR.EMPLOYEES.
--
-- kontekst USERENV zawiera charakterystyki uytkownika, takie jak
-- nazw uytkownika, adres IP jego poczenia i tak dalej.
--
-- w procedurze uywamy jedynie parametru SESSION_USER
-- z kontekstu USERENV.
--
    procedure set_security_parameters is
        emp_id_num number;
        emp_login varchar2(50);
    begin

        -- nazwa uytkownika bazy danych odpowiada adresowi poczty
        -- elektronicznej w tabeli HR.EMPLOYEES
        emp_login := sys_context('USERENV','SESSION_USER');

        dbms_session.set_context('HR_SECURITY','USERNAME',emp_login);

        -- odczytanie numeru identyfikacyjnego pracownika, aby ustanowi uprawnienia menedera
        -- trzeba jednak omin innych uytkownikw bazy danych,
        -- ktrzy nie wystpuj w tabeli EMPLOYEES
        begin
            select employee_id into emp_id_num
                from hr.emp_login_map where login_acct = emp_login;

            dbms_session.set_context('HR_SECURITY','EMP_ID',emp_id_num);
        exception
            when no_data_found then
                dbms_session.set_context('HR_SECURITY','EMP_ID',0);
        end;

        -- w nastpnych zapytaniach zbir zwracanych wierszy bdzie ograniczony
        -- na podstawie wartoci emp_id

    end; -- koniec procedury

end; -- koniec treci pakietu


grant execute on vpd.emp_access to PUBLIC;
create public synonym emp_access for vpd.emp_access;


connect system/nolongermanager@dw as sysdba;

create or replace trigger vpd.set_security_parameters
    after logon on database
begin
    vpd.emp_access.set_security_parameters;
end;


connect vpd/vpd439@dw;

create or replace package vpd.get_predicates as

    -- uwaga: funkcje zabezpieczajce ZAWSZE posiadaj dwa parametry:
    -- nazw waciciela tabeli oraz nazw tabeli

    function emp_select_restrict
         (owner varchar2, object_name varchar2) return varchar2;

    -- tutaj mona dopisa kolejne funkcje dla operacji INSERT, DELETE i tak dalej

end get_predicates;


create or replace package body vpd.get_predicates is

    function emp_select_restrict
         (owner varchar2, object_name varchar2) return varchar2 is

        ret_predicate varchar2(1000); -- cz klauzuli WHERE

    begin
        -- pozwala pracownikowi na dostp do danych dotyczcych jego samego
        -- lub jego bezporednich podwadnych
        ret_predicate := 'EMPLOYEE_ID = ' ||
                         sys_context('HR_SECURITY','EMP_ID') ||
                         ' OR MANAGER_ID = ' ||
                         sys_context('HR_SECURITY','EMP_ID');
        return ret_predicate;
    end emp_select_restrict;

end; -- koniec pakietu


grant execute on vpd.get_predicates to PUBLIC;
create public synonym get_predicates for vpd.get_predicates;


dbms_rls.add_policy (
         object_schema => 'HR',
         object_name => 'EMPLOYEES',
         policy_name => 'EMP_SELECT_RESTRICT',
         function_schema => 'VPD',
         policy_function => 'get_predicates.emp_select_restrict',
         statement_types => 'SELECT',
         update_check => TRUE,
         enable => TRUE
);


create or replace package body vpd.get_predicates is

    function emp_select_restrict
         (owner varchar2, object_name varchar2) return varchar2 is

        ret_predicate varchar2(1000); -- cz klauzuli WHERE

    begin
        -- pozwala pracownikowi na dostp do danych dotyczcych jego samego,
        -- chyba e posiada wysoki poziom zabezpiecze
        if sys_context('HR_SECURITY','SEC_LEVEL') = 'HIGH' then
            ret_predicate := ''; -- brak ogranicze w klauzuli WHERE
        else
            ret_predicate := 'EMPLOYEE_ID = ' ||
                             sys_context('HR_SECURITY','EMP_ID') ||
                             ' OR MANAGER_ID = ' ||
                             sys_context('HR_SECURITY','EMP_ID');
        end if;
        return ret_predicate;
    end emp_select_restrict;

end; -- koniec pakietu

dbms_rls.add_policy (
         object_schema => 'HR',
         object_name => 'EMPLOYEES',
         policy_name => 'EMP_SELECT_RESTRICT',
         function_schema => 'VPD',
         policy_function => 'get_predicates.emp_select_restrict',
         statement_types => 'SELECT',
         update_check => TRUE,
         enable => TRUE,
         sec_relevant_cols => 'SALARY',
         sec_relevant_cols_opt => dbms_rls.all_rows
);


begin
    dbms_fga.add_policy(
        object_schema => 'HR',
        object_name => 'EMPLOYEES',
        policy_name => 'SAL_SELECT_AUDIT',
        audit_condition => 'instr(job_id,''_MAN'') > 0',
        audit_column => 'SALARY'
    );
end;


CREATE SMALLFILE TABLESPACE "USERS_CRYPT"
DATAFILE'+DATA' SIZE 500M LOGGING EXTENT MANAGEMENT LOCAL
SEGMENT SPACE MANAGEMENT AUTO NOCOMPRESS ENCRYPTION
USING 'AES256' DEFAULT STORAGE(ENCRYPT)





