hs.hsadmin.ng/src/main/resources/db/changelog/1-rbac/1051-rbac-subject-grant.sql

--liquibase formatted sql

-- ============================================================================
--changeset rbac-user-grant-GRANT-ROLE-TO-USER:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

create or replace function rbac.assumedRoleUuid()
    returns uuid
    stable -- leakproof
    language plpgsql as $$
declare
    currentSubjectOrAssumedRolesUuids uuid[];
begin
    -- exactly one role must be assumed, not none not more than one
    if cardinality(base.assumedRoles()) <> 1 then
        raise exception '[400] Granting roles to user is only possible if exactly one role is assumed, given: %', base.assumedRoles();
    end if;

    currentSubjectOrAssumedRolesUuids := rbac.currentSubjectOrAssumedRolesUuids();
    return currentSubjectOrAssumedRolesUuids[1];
end; $$;

create or replace procedure rbac.grantRoleToUserUnchecked(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid, doAssume boolean = true)
    language plpgsql as $$
begin
    perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'rbac.role');
    perform rbac.assertReferenceType('roleId (descendant)', grantedRoleUuid, 'rbac.role');
    perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');

    insert
        into rbac.grants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
        values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume)
    -- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception?
    on conflict do nothing; -- allow granting multiple times
end; $$;

create or replace procedure rbac.grantRoleToSubject(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid, doAssume boolean = true)
    language plpgsql as $$
declare
    grantedByRoleIdName text;
    grantedRoleIdName text;
begin
    perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'rbac.role');
    perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'rbac.role');
    perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');

    assert grantedByRoleUuid is not null, 'grantedByRoleUuid must not be null';
    assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null';
    assert subjectUuid is not null, 'subjectUuid must not be null';

    if NOT rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
        select roleIdName from rbac.role_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;
        raise exception '[403] Access to granted-by-role % (%) forbidden for % (%)',
                grantedByRoleIdName, grantedByRoleUuid, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
    end if;
    if NOT rbac.isGranted(grantedByRoleUuid, grantedRoleUuid) then
        select roleIdName from rbac.role_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;
        select roleIdName from rbac.role_ev where uuid=grantedRoleUuid into grantedRoleIdName;
        raise exception '[403] Access to granted role % (%) forbidden for % (%)',
                grantedRoleIdName, grantedRoleUuid, grantedByRoleIdName, grantedByRoleUuid;
    end if;

    insert
        into rbac.grants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
        values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume);
    -- TODO.impl: What should happen on multiple grants? What if options (doAssume) are not the same?
    --      Most powerful or latest grant wins? What about managed?
    -- on conflict do nothing; -- allow granting multiple times
end; $$;
--//


-- ============================================================================
--changeset rbac-user-grant-REVOKE-ROLE-FROM-USER:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

create or replace procedure rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid)
    language plpgsql as $$
begin
    perform rbac.assertReferenceType('grantedByRoleUuid', grantedByRoleUuid, 'rbac.role');
    perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'rbac.role');
    perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');

    if NOT rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
        raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, base.currentSubjects();
    end if;

    if NOT rbac.isGranted(grantedByRoleUuid, grantedRoleUuid) then
        raise exception '[403] Revoking role % is forbidden for %.', grantedRoleUuid, base.currentSubjects();
    end if;

    --raise exception 'rbac.isGranted(%, %)', rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid;
    if NOT rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
        raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, base.currentSubjects();
    end if;

    if NOT rbac.isGranted(subjectUuid, grantedRoleUuid) then
        raise exception '[404] No such grant found granted by % for subject % to role %.', grantedByRoleUuid, subjectUuid, grantedRoleUuid;
    end if;
end; $$;

create or replace procedure rbac.revokeRoleFromSubject(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid)
    language plpgsql as $$
begin
    call rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid, grantedRoleUuid, subjectUuid);

    raise INFO 'delete from rbac.grants where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid;
    delete from rbac.grants as g
       where g.ascendantUuid = subjectUuid and g.descendantUuid = grantedRoleUuid
         and g.grantedByRoleUuid = revokeRoleFromSubject.grantedByRoleUuid;
end; $$;
--//

-- ============================================================================
--changeset rbac-user-grant-REVOKE-PERMISSION-FROM-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

create or replace procedure rbac.revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid)
    language plpgsql as $$
begin
    raise INFO 'delete from rbac.grants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid;
    delete from rbac.grants as g
           where g.ascendantUuid = superRoleUuid and g.descendantUuid = permissionUuid;
end; $$;
--//
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`--liquibase formatted sql`

			`-- ============================================================================`
			`--changeset rbac-user-grant-GRANT-ROLE-TO-USER:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`

rbac.assumedRoleUuid 2024-09-13 14:53:40 +02:00			`create or replace function rbac.assumedRoleUuid()`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`returns uuid`
initial data import for hs-office tables (db-migration #10) Co-authored-by: Michael Hoennig <michael@hoennig.de> Co-authored-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/10 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-01-23 15:11:23 +01:00			`stable -- leakproof`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`language plpgsql as $$`
			`declare`
rbacuser->rbac.subject, tx_journal_tg, rbac.referenceType, rbac.reference, rbac.create_subject, rbac.find_subject_id, rbac.insert_related_object tc. 2024-09-13 12:44:56 +02:00			`currentSubjectOrAssumedRolesUuids uuid[];`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`begin`
			`-- exactly one role must be assumed, not none not more than one`
schema basis -> base 2024-09-13 20:21:12 +02:00			`if cardinality(base.assumedRoles()) <> 1 then`
			`raise exception '[400] Granting roles to user is only possible if exactly one role is assumed, given: %', base.assumedRoles();`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`end if;`

rbacuser->rbac.subject, tx_journal_tg, rbac.referenceType, rbac.reference, rbac.create_subject, rbac.find_subject_id, rbac.insert_related_object tc. 2024-09-13 12:44:56 +02:00			`currentSubjectOrAssumedRolesUuids := rbac.currentSubjectOrAssumedRolesUuids();`
			`return currentSubjectOrAssumedRolesUuids[1];`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`end; $$;`

rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`create or replace procedure rbac.grantRoleToUserUnchecked(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid, doAssume boolean = true)`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`language plpgsql as $$`
			`begin`
rbac.role 2024-09-13 20:46:54 +02:00			`perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'rbac.role');`
			`perform rbac.assertReferenceType('roleId (descendant)', grantedRoleUuid, 'rbac.role');`
rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00
			`insert`
rbac.grants 2024-09-13 20:31:41 +02:00			`into rbac.grants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)`
rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume)`
RBAC generator with conditional grants used for REPRESENTATIVE-Relation (#33) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/33 Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net> 2024-04-08 11:16:06 +02:00			`-- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception?`
			`on conflict do nothing; -- allow granting multiple times`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`end; $$;`

rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`create or replace procedure rbac.grantRoleToSubject(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid, doAssume boolean = true)`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`language plpgsql as $$`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`declare`
			`grantedByRoleIdName text;`
			`grantedRoleIdName text;`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`begin`
rbac.role 2024-09-13 20:46:54 +02:00			`perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'rbac.role');`
			`perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'rbac.role');`
rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`assert grantedByRoleUuid is not null, 'grantedByRoleUuid must not be null';`
			`assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null';`
rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`assert subjectUuid is not null, 'subjectUuid must not be null';`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00
most remaining from base+rbac 2024-09-14 10:34:11 +02:00			`if NOT rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then`
rbac.role 2024-09-13 20:46:54 +02:00			`select roleIdName from rbac.role_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`raise exception '[403] Access to granted-by-role % (%) forbidden for % (%)',`
fix rbac.currentSubjects() -> base.currentSubjects() 2024-09-14 10:58:57 +02:00			`grantedByRoleIdName, grantedByRoleUuid, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`end if;`
most remaining from base+rbac 2024-09-14 10:34:11 +02:00			`if NOT rbac.isGranted(grantedByRoleUuid, grantedRoleUuid) then`
rbac.role 2024-09-13 20:46:54 +02:00			`select roleIdName from rbac.role_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;`
			`select roleIdName from rbac.role_ev where uuid=grantedRoleUuid into grantedRoleIdName;`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`raise exception '[403] Access to granted role % (%) forbidden for % (%)',`
			`grantedRoleIdName, grantedRoleUuid, grantedByRoleIdName, grantedByRoleUuid;`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`end if;`

			`insert`
rbac.grants 2024-09-13 20:31:41 +02:00			`into rbac.grants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)`
rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume);`
			`-- TODO.impl: What should happen on multiple grants? What if options (doAssume) are not the same?`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`-- Most powerful or latest grant wins? What about managed?`
			`-- on conflict do nothing; -- allow granting multiple times`
			`end; $$;`
			`--//`


			`-- ============================================================================`
			`--changeset rbac-user-grant-REVOKE-ROLE-FROM-USER:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`

rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`create or replace procedure rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid)`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`language plpgsql as $$`
			`begin`
rbac.role 2024-09-13 20:46:54 +02:00			`perform rbac.assertReferenceType('grantedByRoleUuid', grantedByRoleUuid, 'rbac.role');`
			`perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'rbac.role');`
rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00
most remaining from base+rbac 2024-09-14 10:34:11 +02:00			`if NOT rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then`
fix rbac.currentSubjects() -> base.currentSubjects() 2024-09-14 10:58:57 +02:00			`raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, base.currentSubjects();`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`end if;`

most remaining from base+rbac 2024-09-14 10:34:11 +02:00			`if NOT rbac.isGranted(grantedByRoleUuid, grantedRoleUuid) then`
fix rbac.currentSubjects() -> base.currentSubjects() 2024-09-14 10:58:57 +02:00			`raise exception '[403] Revoking role % is forbidden for %.', grantedRoleUuid, base.currentSubjects();`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`end if;`

most remaining from base+rbac 2024-09-14 10:34:11 +02:00			`--raise exception 'rbac.isGranted(%, %)', rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid;`
			`if NOT rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then`
fix rbac.currentSubjects() -> base.currentSubjects() 2024-09-14 10:58:57 +02:00			`raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, base.currentSubjects();`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`end if;`

most remaining from base+rbac 2024-09-14 10:34:11 +02:00			`if NOT rbac.isGranted(subjectUuid, grantedRoleUuid) then`
rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`raise exception '[404] No such grant found granted by % for subject % to role %.', grantedByRoleUuid, subjectUuid, grantedRoleUuid;`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`end if;`
			`end; $$;`

rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`create or replace procedure rbac.revokeRoleFromSubject(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid)`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`language plpgsql as $$`
			`begin`
rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`call rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid, grantedRoleUuid, subjectUuid);`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00
rbac.grants 2024-09-13 20:31:41 +02:00			`raise INFO 'delete from rbac.grants where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid;`
			`delete from rbac.grants as g`
rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`where g.ascendantUuid = subjectUuid and g.descendantUuid = grantedRoleUuid`
			`and g.grantedByRoleUuid = revokeRoleFromSubject.grantedByRoleUuid;`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`end; $$;`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`--//`

			`-- ============================================================================`
			`--changeset rbac-user-grant-REVOKE-PERMISSION-FROM-ROLE:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`

rbac schema for user-grant 2024-09-13 16:20:14 +02:00			`create or replace procedure rbac.revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid)`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`language plpgsql as $$`
			`begin`
rbac.grants 2024-09-13 20:31:41 +02:00			`raise INFO 'delete from rbac.grants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid;`
			`delete from rbac.grants as g`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`where g.ascendantUuid = superRoleUuid and g.descendantUuid = permissionUuid;`
			`end; $$;`
			`--//`