sql: add e2e tests and fix privilege/NULL bugs for DROP PROVISIONED ROLES

Add comprehensive logic tests for DROP PROVISIONED ROLES and fix two
bugs:

1. Privilege escalation: the internal query used `params.p.User()`
   which fails for non-admin CREATEROLE users who lack SELECT on
   system.users. Switched to `NodeUserSessionDataOverride` since the
   CREATEROLE authorization check already happened at plan time.

2. NULL filter panic: passing NULL as a SOURCE or LAST LOGIN BEFORE
   filter expression caused a server panic via tree.MustBeDString /
   tree.MustBeDTimestampTZ on tree.DNull. Added explicit DNull checks
   after eval.Expr, returning a proper InvalidParameterValue error
   instead of crashing the node. Follows the established pattern from
   set_zone_config.go.

Refactors the main loop into two passes: the first pass filters
candidates by checking permissions and dependencies, accumulating
eligible users into a slice; the second pass performs the deletions.

Tests cover all existing behavior plus:
- NULL filter rejection for SOURCE and LAST LOGIN BEFORE
- Negative test: no dedicated `drop_provisioned_role` audit event
  type (currently reuses generic `drop_role`)
- Session revocation: web sessions for dropped users are revoked
- EXPLAIN planning for various filter combinations

Fixes: #170030
Fixes: #170031
Fixes: #170032
Fixes: #170048
Informs: #170033
Epic: CRDB-54682
Release note: None

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: souravcrl

pkg/sql/drop_provisioned_roles.go

@@ -129,11 +129,16 @@ func (n *DropProvisionedRolesNode) startExec(params runParams) error {
 	}
 	query, queryArgs := buildProvisionedRolesQuery(sourceVal, lastLoginVal, n.limitCount)
 
+	// Use NodeUserSessionDataOverride because the authorization check
+	// (CREATEROLE) already happened at plan time. A non-admin CREATEROLE
+	// user does not have SELECT on system.users, so the query must run
+	// with elevated privileges. The query is hardcoded with only
+	// parameterized filter values — no user-controlled SQL expressions.
 	rows, err := params.p.InternalSQLTxn().QueryBufferedEx(
 		params.ctx,
 		"drop-provisioned-roles-find",
 		params.p.txn,
-		sessiondata.InternalExecutorOverride{User: params.p.User()},
+		sessiondata.NodeUserSessionDataOverride,
 		query,
 		queryArgs...,
 	)
@@ -149,10 +154,11 @@ func (n *DropProvisionedRolesNode) startExec(params runParams) error {
 		return err
 	}
 
-	var numDropped, numSkipped int
-	var droppedNames []string
-	var numRoleSettingsRowsDeleted int
-
+	// First pass: filter candidates by checking permissions and
+	// dependencies. Accumulate eligible users into a separate slice
+	// so that the deletion loop is cleanly separated from the
+	// validation logic.
+	var usersToDrop []username.SQLUsername
 	for _, row := range rows {
 		normalizedUsername := username.MakeSQLUsernameFromPreNormalizedString(
 			string(tree.MustBeDString(row[0])),
@@ -179,7 +185,6 @@ func (n *DropProvisionedRolesNode) startExec(params runParams) error {
 					params.ctx,
 					pgnotice.Newf("skipping %q: must be superuser to drop superusers", normalizedUsername),
 				)
-				numSkipped++
 				continue
 			}
 		}
@@ -195,22 +200,26 @@ func (n *DropProvisionedRolesNode) startExec(params runParams) error {
 				params.ctx,
 				pgnotice.Newf("skipping %q: role has dependent objects", normalizedUsername),
 			)
-			numSkipped++
 			continue
 		}
 
-		// Delete the role from all system tables.
+		usersToDrop = append(usersToDrop, normalizedUsername)
+	}
+
+	// Second pass: delete all eligible users from system tables.
+	var droppedNames []string
+	var numRoleSettingsRowsDeleted int
+	for _, normalizedUsername := range usersToDrop {
 		deleted, err := n.deleteRole(params, normalizedUsername, opName)
 		if err != nil {
 			return err
 		}
 		numRoleSettingsRowsDeleted += deleted
-		numDropped++
 		droppedNames = append(droppedNames, normalizedUsername.Normalized())
 	}
 
 	// Bump table versions if anything was dropped.
-	if numDropped > 0 {
+	if len(droppedNames) > 0 {
 		if sessioninit.CacheEnabled.Get(&params.p.ExecCfg().Settings.SV) {
 			if err := params.p.bumpUsersTableVersion(params.ctx); err != nil {
 				return err
@@ -252,6 +261,10 @@ func (n *DropProvisionedRolesNode) evalFilterExprs(
 		if err != nil {
 			return nil, nil, err
 		}
+		if d == tree.DNull {
+			return nil, nil, pgerror.Newf(pgcode.InvalidParameterValue,
+				"SOURCE filter cannot be NULL")
+		}
 		s := string(tree.MustBeDString(d))
 		sourceVal = &s
 	}
@@ -260,6 +273,10 @@ func (n *DropProvisionedRolesNode) evalFilterExprs(
 		if err != nil {
 			return nil, nil, err
 		}
+		if d == tree.DNull {
+			return nil, nil, pgerror.Newf(pgcode.InvalidParameterValue,
+				"LAST LOGIN BEFORE filter cannot be NULL")
+		}
 		v := tree.MustBeDTimestampTZ(d)
 		lastLoginVal = &v
 	}