hs.hsadmin.ng/sql/25-hs-emailaddress.sql


-- ========================================================
-- EMailAddress example with RBAC
-- --------------------------------------------------------

SET SESSION SESSION AUTHORIZATION DEFAULT ;

CREATE TABLE IF NOT EXISTS EMailAddress (
    uuid uuid UNIQUE REFERENCES RbacObject(uuid),
    localPart character varying(64),
    domainUuid uuid REFERENCES domain(uuid)
);

DROP TRIGGER IF EXISTS createRbacObjectForEMailAddress_Trigger ON EMailAddress;
CREATE TRIGGER createRbacObjectForEMailAddress_Trigger
    BEFORE INSERT ON EMailAddress
    FOR EACH ROW EXECUTE PROCEDURE createRbacObject();

CREATE OR REPLACE FUNCTION emailAddressOwner(emAddr EMailAddress)
    RETURNS RbacRoleDescriptor
    RETURNS NULL ON NULL INPUT
    LANGUAGE plpgsql AS $$
begin
    return roleDescriptor('emailaddress', emAddr.uuid, 'owner');
end; $$;

CREATE OR REPLACE FUNCTION emailAddressAdmin(emAddr EMailAddress)
    RETURNS RbacRoleDescriptor
    RETURNS NULL ON NULL INPUT
    LANGUAGE plpgsql AS $$
begin
    return roleDescriptor('emailaddress', emAddr.uuid, 'admin');
end; $$;

CREATE OR REPLACE FUNCTION createRbacRulesForEMailAddress()
    RETURNS trigger
    LANGUAGE plpgsql STRICT AS $$
DECLARE
    parentDomain              Domain;
    eMailAddressOwnerRoleUuid uuid;
BEGIN
    IF TG_OP <> 'INSERT' THEN
        RAISE EXCEPTION 'invalid usage of TRIGGER AFTER INSERT';
    END IF;

    SELECT d.*
      FROM domain d
      LEFT JOIN unixuser u ON u.uuid = d.unixuseruuid
     WHERE d.uuid=NEW.domainUuid INTO parentDomain;

    -- an owner role is created and assigned to the domains's admin group
    eMailAddressOwnerRoleUuid = createRole(
        emailAddressOwner(NEW),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['*']),
        beneathRole(domainAdmin( parentDomain))
        );

    -- and an admin role is created and assigned to the unixuser owner as well
    perform createRole(
        emailAddressAdmin(NEW),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['edit']),
        beneathRole(eMailAddressOwnerRoleUuid),
        beingItselfA(domainTenant(parentDomain))
        );

    RETURN NEW;
END; $$;

DROP TRIGGER IF EXISTS createRbacRulesForEMailAddress_Trigger ON EMailAddress;
CREATE TRIGGER createRbacRulesForEMailAddress_Trigger
    AFTER INSERT ON EMailAddress
    FOR EACH ROW EXECUTE PROCEDURE createRbacRulesForEMailAddress();

-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForEMailAddress()


-- create RBAC-restricted view
SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS EMailAddress_rv;
CREATE OR REPLACE VIEW EMailAddress_rv AS
    SELECT DISTINCT target.*
    FROM EMailAddress AS target
    WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'emailaddress', currentSubjectIds()));
GRANT ALL PRIVILEGES ON EMailAddress_rv TO restricted;

-- generate EMailAddress test data

DO LANGUAGE plpgsql $$
    DECLARE
        dom record;
        pacAdmin varchar;
        currentTask varchar;
    BEGIN
        SET hsadminng.currentUser TO '';

        FOR dom IN (
            SELECT d.uuid, d.name, p.name as packageName
              FROM domain d
              JOIN unixuser u ON u.uuid = d.unixuseruuid
              JOIN package p ON u.packageuuid = p.uuid
              JOIN customer c ON p.customeruuid = c.uuid
             -- WHERE c.reference >= 18000
                  ) LOOP
            FOR t IN 0..4 LOOP
                currentTask = 'creating RBAC test EMailAddress #' || t || ' for Domain ' || dom.name;
                RAISE NOTICE 'task: %', currentTask;

                pacAdmin = 'admin@' || dom.packageName || '.example.com';
                SET LOCAL hsadminng.currentUser TO pacAdmin;
                SET LOCAL hsadminng.assumedRoles = '';
                SET LOCAL hsadminng.currentTask TO currentTask;

                INSERT INTO EMailAddress (localPart, domainUuid)
                   VALUES ('local' || t, dom.uuid);

                COMMIT;
            END LOOP;
        END LOOP;
    END;
$$;
removing JHipster 2022-07-22 13:31:37 +02:00
			`-- ========================================================`
			`-- EMailAddress example with RBAC`
			`-- --------------------------------------------------------`

			`SET SESSION SESSION AUTHORIZATION DEFAULT ;`

			`CREATE TABLE IF NOT EXISTS EMailAddress (`
			`uuid uuid UNIQUE REFERENCES RbacObject(uuid),`
			`localPart character varying(64),`
			`domainUuid uuid REFERENCES domain(uuid)`
			`);`

			`DROP TRIGGER IF EXISTS createRbacObjectForEMailAddress_Trigger ON EMailAddress;`
			`CREATE TRIGGER createRbacObjectForEMailAddress_Trigger`
			`BEFORE INSERT ON EMailAddress`
			`FOR EACH ROW EXECUTE PROCEDURE createRbacObject();`

introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`CREATE OR REPLACE FUNCTION emailAddressOwner(emAddr EMailAddress)`
			`RETURNS RbacRoleDescriptor`
			`RETURNS NULL ON NULL INPUT`
			`LANGUAGE plpgsql AS $$`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`begin`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`return roleDescriptor('emailaddress', emAddr.uuid, 'owner');`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`end; $$;`

introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`CREATE OR REPLACE FUNCTION emailAddressAdmin(emAddr EMailAddress)`
			`RETURNS RbacRoleDescriptor`
			`RETURNS NULL ON NULL INPUT`
			`LANGUAGE plpgsql AS $$`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`begin`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`return roleDescriptor('emailaddress', emAddr.uuid, 'admin');`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`end; $$;`

removing JHipster 2022-07-22 13:31:37 +02:00			`CREATE OR REPLACE FUNCTION createRbacRulesForEMailAddress()`
			`RETURNS trigger`
			`LANGUAGE plpgsql STRICT AS $$`
			`DECLARE`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`parentDomain Domain;`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`eMailAddressOwnerRoleUuid uuid;`
removing JHipster 2022-07-22 13:31:37 +02:00			`BEGIN`
			`IF TG_OP <> 'INSERT' THEN`
			`RAISE EXCEPTION 'invalid usage of TRIGGER AFTER INSERT';`
			`END IF;`

introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`SELECT d.*`
			`FROM domain d`
			`LEFT JOIN unixuser u ON u.uuid = d.unixuseruuid`
			`WHERE d.uuid=NEW.domainUuid INTO parentDomain;`
removing JHipster 2022-07-22 13:31:37 +02:00
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`-- an owner role is created and assigned to the domains's admin group`
			`eMailAddressOwnerRoleUuid = createRole(`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`emailAddressOwner(NEW),`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['*']),`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`beneathRole(domainAdmin( parentDomain))`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`);`

			`-- and an admin role is created and assigned to the unixuser owner as well`
			`perform createRole(`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`emailAddressAdmin(NEW),`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['edit']),`
			`beneathRole(eMailAddressOwnerRoleUuid),`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`beingItselfA(domainTenant(parentDomain))`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`);`
removing JHipster 2022-07-22 13:31:37 +02:00
			`RETURN NEW;`
			`END; $$;`

			`DROP TRIGGER IF EXISTS createRbacRulesForEMailAddress_Trigger ON EMailAddress;`
			`CREATE TRIGGER createRbacRulesForEMailAddress_Trigger`
			`AFTER INSERT ON EMailAddress`
			`FOR EACH ROW EXECUTE PROCEDURE createRbacRulesForEMailAddress();`

			`-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForEMailAddress()`


_rv query performance experiments 2022-07-27 12:32:54 +02:00			`-- create RBAC-restricted view`
removing JHipster 2022-07-22 13:31:37 +02:00			`SET SESSION SESSION AUTHORIZATION DEFAULT;`
			`ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY;`
			`DROP VIEW IF EXISTS EMailAddress_rv;`
			`CREATE OR REPLACE VIEW EMailAddress_rv AS`
			`SELECT DISTINCT target.*`
			`FROM EMailAddress AS target`
the _rv query with WHERE IN was faster after all, removing the JOIN variant 2022-07-27 13:05:19 +02:00			`WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'emailaddress', currentSubjectIds()));`
_rv query performance experiments 2022-07-27 12:32:54 +02:00			`GRANT ALL PRIVILEGES ON EMailAddress_rv TO restricted;`
removing JHipster 2022-07-22 13:31:37 +02:00
			`-- generate EMailAddress test data`

			`DO LANGUAGE plpgsql $$`
			`DECLARE`
_rv query performance experiments 2022-07-27 12:32:54 +02:00			`dom record;`
removing JHipster 2022-07-22 13:31:37 +02:00			`pacAdmin varchar;`
			`currentTask varchar;`
			`BEGIN`
			`SET hsadminng.currentUser TO '';`

_rv query performance experiments 2022-07-27 12:32:54 +02:00			`FOR dom IN (`
			`SELECT d.uuid, d.name, p.name as packageName`
			`FROM domain d`
			`JOIN unixuser u ON u.uuid = d.unixuseruuid`
			`JOIN package p ON u.packageuuid = p.uuid`
			`JOIN customer c ON p.customeruuid = c.uuid`
			`-- WHERE c.reference >= 18000`
			`) LOOP`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`FOR t IN 0..4 LOOP`
removing JHipster 2022-07-22 13:31:37 +02:00			`currentTask = 'creating RBAC test EMailAddress #' \|\| t \|\| ' for Domain ' \|\| dom.name;`
			`RAISE NOTICE 'task: %', currentTask;`

_rv query performance experiments 2022-07-27 12:32:54 +02:00			`pacAdmin = 'admin@' \|\| dom.packageName \|\| '.example.com';`
removing JHipster 2022-07-22 13:31:37 +02:00			`SET LOCAL hsadminng.currentUser TO pacAdmin;`
			`SET LOCAL hsadminng.assumedRoles = '';`
			`SET LOCAL hsadminng.currentTask TO currentTask;`

			`INSERT INTO EMailAddress (localPart, domainUuid)`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`VALUES ('local' \|\| t, dom.uuid);`
removing JHipster 2022-07-22 13:31:37 +02:00
			`COMMIT;`
			`END LOOP;`
			`END LOOP;`
			`END;`
			`$$;`