hs.hsadmin.ng/src/main/resources/db/changelog/050-rbac-base.sql

629 lines
22 KiB
MySQL
Raw Normal View History

--liquibase formatted sql
2022-07-22 13:31:37 +02:00
-- ============================================================================
--changeset rbac-base-REFERENCE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
2022-07-22 13:31:37 +02:00
*/
2022-07-29 08:46:04 +02:00
create type ReferenceType as enum ('RbacUser', 'RbacRole', 'RbacPermission');
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
create table RbacReference
2022-07-22 13:31:37 +02:00
(
2022-07-29 08:46:04 +02:00
uuid uuid unique default uuid_generate_v4(),
2022-07-22 13:31:37 +02:00
type ReferenceType not null
);
2022-07-29 08:46:04 +02:00
create or replace function assertReferenceType(argument varchar, referenceId uuid, expectedType ReferenceType)
returns ReferenceType
language plpgsql as $$
declare
actualType ReferenceType;
2022-07-29 08:46:04 +02:00
begin
actualType = (select type from RbacReference where uuid = referenceId);
if (actualType <> expectedType) then
raise exception '% must reference a %, but got a %', argument, expectedType, actualType;
end if;
2022-07-29 08:46:04 +02:00
return expectedType;
end; $$;
--//
2022-07-22 13:31:37 +02:00
-- ============================================================================
--changeset rbac-base-USER:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
2022-07-27 12:32:54 +02:00
*/
2022-07-29 08:46:04 +02:00
create table RbacUser
(
2022-07-29 08:46:04 +02:00
uuid uuid primary key references RbacReference (uuid) on delete cascade,
name varchar(63) not null unique
);
2022-07-22 13:31:37 +02:00
call create_journal('RbacUser');
2022-08-24 12:01:54 +02:00
2022-07-29 08:46:04 +02:00
create or replace function createRbacUser(userName varchar)
returns uuid
returns null on null input
language plpgsql as $$
2022-07-22 13:31:37 +02:00
declare
objectId uuid;
2022-07-29 08:46:04 +02:00
begin
insert
into RbacReference (type)
values ('RbacUser')
returning uuid into objectId;
2022-07-29 08:46:04 +02:00
insert
into RbacUser (uuid, name)
values (objectid, userName);
2022-07-22 13:31:37 +02:00
return objectId;
2022-07-29 08:46:04 +02:00
end;
2022-07-22 13:31:37 +02:00
$$;
create or replace function createRbacUser(refUuid uuid, userName varchar)
returns uuid
called on null input
language plpgsql as $$
begin
insert
into RbacReference as r (uuid, type)
2022-08-13 16:47:36 +02:00
values (coalesce(refUuid, uuid_generate_v4()), 'RbacUser')
returning r.uuid into refUuid;
insert
into RbacUser (uuid, name)
values (refUuid, userName);
return refUuid;
end;
$$;
2022-07-29 08:46:04 +02:00
create or replace function findRbacUserId(userName varchar)
returns uuid
returns null on null input
language sql as $$
select uuid from RbacUser where name = userName
2022-07-22 13:31:37 +02:00
$$;
2022-07-29 08:46:04 +02:00
create type RbacWhenNotExists as enum ('fail', 'create');
2022-07-29 08:46:04 +02:00
create or replace function getRbacUserId(userName varchar, whenNotExists RbacWhenNotExists)
returns uuid
returns null on null input
language plpgsql as $$
declare
2022-07-22 13:31:37 +02:00
userUuid uuid;
2022-07-29 08:46:04 +02:00
begin
userUuid = findRbacUserId(userName);
2022-07-29 08:46:04 +02:00
if (userUuid is null) then
if (whenNotExists = 'fail') then
raise exception 'RbacUser with name="%" not found', userName;
end if;
if (whenNotExists = 'create') then
2022-07-22 13:31:37 +02:00
userUuid = createRbacUser(userName);
2022-07-29 08:46:04 +02:00
end if;
end if;
2022-07-22 13:31:37 +02:00
return userUuid;
2022-07-29 08:46:04 +02:00
end;
2022-07-22 13:31:37 +02:00
$$;
--//
-- ============================================================================
--changeset rbac-base-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
2022-07-29 08:46:04 +02:00
create table RbacObject
(
2022-07-29 08:46:04 +02:00
uuid uuid primary key default uuid_generate_v4(),
objectTable varchar(64) not null,
unique (objectTable, uuid)
);
call create_journal('RbacObject');
2022-08-24 12:01:54 +02:00
2022-07-29 08:46:04 +02:00
create or replace function createRbacObject()
returns trigger
language plpgsql
strict as $$
declare
objectUuid uuid;
2022-07-29 08:46:04 +02:00
begin
if TG_OP = 'INSERT' then
if NEW.uuid is null then
insert
into RbacObject (objectTable)
values (TG_TABLE_NAME)
returning uuid into objectUuid;
NEW.uuid = objectUuid;
else
insert
into RbacObject (uuid, objectTable)
values (NEW.uuid, TG_TABLE_NAME)
returning uuid into objectUuid;
end if;
2022-07-29 08:46:04 +02:00
return NEW;
else
raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if;
end; $$;
--//
-- ============================================================================
--changeset rbac-base-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
2022-07-29 08:46:04 +02:00
create type RbacRoleType as enum ('owner', 'admin', 'tenant');
2022-07-29 08:46:04 +02:00
create table RbacRole
(
2022-07-29 08:46:04 +02:00
uuid uuid primary key references RbacReference (uuid) on delete cascade,
objectUuid uuid references RbacObject (uuid) not null,
roleType RbacRoleType not null,
unique (objectUuid, roleType)
);
call create_journal('RbacRole');
2022-08-24 12:01:54 +02:00
2022-07-29 08:46:04 +02:00
create type RbacRoleDescriptor as
(
2022-09-07 12:25:12 +02:00
objectTable varchar(63), -- for human readability and easier debugging
2022-07-29 08:46:04 +02:00
objectUuid uuid,
roleType RbacRoleType
);
2022-07-29 08:46:04 +02:00
create or replace function roleDescriptor(objectTable varchar(63), objectUuid uuid, roleType RbacRoleType)
returns RbacRoleDescriptor
returns null on null input
2022-08-03 06:12:16 +02:00
stable leakproof
2022-07-29 08:46:04 +02:00
language sql as $$
select objectTable, objectUuid, roleType::RbacRoleType;
$$;
2022-07-29 08:46:04 +02:00
create or replace function createRole(roleDescriptor RbacRoleDescriptor)
returns uuid
returns null on null input
language plpgsql as $$
2022-07-22 13:31:37 +02:00
declare
referenceId uuid;
2022-07-29 08:46:04 +02:00
begin
insert
into RbacReference (type)
values ('RbacRole')
returning uuid into referenceId;
2022-07-29 08:46:04 +02:00
insert
into RbacRole (uuid, objectUuid, roleType)
values (referenceId, roleDescriptor.objectUuid, roleDescriptor.roleType);
2022-07-22 13:31:37 +02:00
return referenceId;
2022-07-29 08:46:04 +02:00
end;
2022-07-22 13:31:37 +02:00
$$;
2022-07-29 08:46:04 +02:00
create or replace procedure deleteRole(roleUUid uuid)
language plpgsql as $$
begin
delete from RbacRole where uuid = roleUUid;
end;
2022-07-22 13:31:37 +02:00
$$;
2022-08-13 16:47:36 +02:00
create or replace function findRoleId(roleIdName varchar)
returns uuid
returns null on null input
language plpgsql as $$
declare
roleParts text;
roleTypeFromRoleIdName RbacRoleType;
objectNameFromRoleIdName text;
objectTableFromRoleIdName text;
objectUuidOfRole uuid;
roleUuid uuid;
begin
2022-09-07 12:25:12 +02:00
-- TODO.refact: extract function toRbacRoleDescriptor(roleIdName varchar) + find other occurrences
2022-08-13 16:47:36 +02:00
roleParts = overlay(roleIdName placing '#' from length(roleIdName) + 1 - strpos(reverse(roleIdName), '.'));
objectTableFromRoleIdName = split_part(roleParts, '#', 1);
objectNameFromRoleIdName = split_part(roleParts, '#', 2);
roleTypeFromRoleIdName = split_part(roleParts, '#', 3);
objectUuidOfRole = findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName);
raise notice $sql$findObjectUuidByIdName('%', '%') = %;$sql$, objectTableFromRoleIdName, objectNameFromRoleIdName, objectUuidOfRole;
raise notice 'finding %, % (%), %', objectTableFromRoleIdName, objectNameFromRoleIdName, objectUuidOfRole, roleTypeFromRoleIdName;
2022-08-13 16:47:36 +02:00
select uuid
from RbacRole
where objectUuid = objectUuidOfRole
and roleType = roleTypeFromRoleIdName
into roleUuid;
return roleUuid;
end; $$;
2022-07-29 08:46:04 +02:00
create or replace function findRoleId(roleDescriptor RbacRoleDescriptor)
returns uuid
returns null on null input
language sql as $$
select uuid from RbacRole where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType;
2022-07-22 13:31:37 +02:00
$$;
2022-07-29 08:46:04 +02:00
create or replace function getRoleId(roleDescriptor RbacRoleDescriptor, whenNotExists RbacWhenNotExists)
returns uuid
returns null on null input
language plpgsql as $$
declare
2022-07-22 13:31:37 +02:00
roleUuid uuid;
2022-07-29 08:46:04 +02:00
begin
roleUuid = findRoleId(roleDescriptor);
2022-07-29 08:46:04 +02:00
if (roleUuid is null) then
if (whenNotExists = 'fail') then
raise exception 'RbacRole "%#%.%" not found', roleDescriptor.objectTable, roleDescriptor.objectUuid, roleDescriptor.roleType;
end if;
if (whenNotExists = 'create') then
roleUuid = createRole(roleDescriptor);
2022-07-29 08:46:04 +02:00
end if;
end if;
2022-07-22 13:31:37 +02:00
return roleUuid;
2022-07-29 08:46:04 +02:00
end;
2022-07-22 13:31:37 +02:00
$$;
-- ============================================================================
--changeset rbac-base-PERMISSION:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
2022-07-29 08:46:04 +02:00
create domain RbacOp as varchar(67)
check (
VALUE = '*'
or VALUE = 'delete'
or VALUE = 'edit'
or VALUE = 'view'
or VALUE = 'assume'
or VALUE ~ '^add-[a-z]+$'
or VALUE ~ '^new-[a-z]+$'
);
2022-07-29 08:46:04 +02:00
create table RbacPermission
(
uuid uuid primary key references RbacReference (uuid) on delete cascade,
objectUuid uuid not null references RbacObject,
op RbacOp not null,
unique (objectUuid, op)
);
call create_journal('RbacPermission');
2022-08-24 12:01:54 +02:00
create or replace function permissionExists(forObjectUuid uuid, forOp RbacOp)
2022-07-29 08:46:04 +02:00
returns bool
language sql as $$
select exists(
select op
from RbacPermission p
where p.objectUuid = forObjectUuid
and p.op in ('*', forOp)
);
$$;
create or replace function createPermissions(forObjectUuid uuid, permitOps RbacOp[])
returns uuid[]
language plpgsql as $$
declare
refId uuid;
permissionIds uuid[] = array []::uuid[];
begin
raise notice 'createPermission for: % %', forObjectUuid, permitOps;
if (forObjectUuid is null) then
raise exception 'forObjectUuid must not be null';
end if;
if (array_length(permitOps, 1) > 1 and '*' = any (permitOps)) then
raise exception '"*" operation must not be assigned along with other operations: %', permitOps;
end if;
for i in array_lower(permitOps, 1)..array_upper(permitOps, 1)
loop
refId = (select uuid from RbacPermission where objectUuid = forObjectUuid and op = permitOps[i]);
if (refId is null) then
raise notice 'createPermission: % %', forObjectUuid, permitOps[i];
insert
into RbacReference ("type")
values ('RbacPermission')
returning uuid into refId;
2022-07-29 08:46:04 +02:00
insert
into RbacPermission (uuid, objectUuid, op)
values (refId, forObjectUuid, permitOps[i]);
2022-07-29 08:46:04 +02:00
end if;
raise notice 'addPermission: %', refId;
permissionIds = permissionIds || refId;
end loop;
raise notice 'createPermissions returning: %', permissionIds;
2022-07-22 13:31:37 +02:00
return permissionIds;
2022-07-29 08:46:04 +02:00
end;
2022-07-22 13:31:37 +02:00
$$;
2022-07-29 08:46:04 +02:00
create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp)
returns uuid
returns null on null input
stable leakproof
language sql as $$
select uuid
from RbacPermission p
where p.objectUuid = forObjectUuid
and p.op in ('*', forOp)
2022-07-22 13:31:37 +02:00
$$;
--//
-- ============================================================================
--changeset rbac-base-GRANTS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
2022-08-13 16:47:36 +02:00
Table to store grants / role- or permission assignments to users or roles.
*/
2022-07-29 08:46:04 +02:00
create table RbacGrants
(
2022-08-24 12:01:54 +02:00
uuid uuid primary key default uuid_generate_v4(),
grantedByRoleUuid uuid references RbacRole (uuid) on delete cascade,
ascendantUuid uuid references RbacReference (uuid) on delete cascade not null,
descendantUuid uuid references RbacReference (uuid) on delete cascade not null,
assumed boolean not null default true, -- auto assumed (true) vs. needs assumeRoles (false)
2022-08-24 12:01:54 +02:00
unique (ascendantUuid, descendantUuid)
);
2022-07-29 08:46:04 +02:00
create index on RbacGrants (ascendantUuid);
create index on RbacGrants (descendantUuid);
call create_journal('RbacGrants');
2022-07-29 08:46:04 +02:00
create or replace function findGrantees(grantedId uuid)
returns setof RbacReference
returns null on null input
language sql as $$
select reference.*
from (with recursive grants as (select descendantUuid,
ascendantUuid
from RbacGrants
where descendantUuid = grantedId
union all
select "grant".descendantUuid,
"grant".ascendantUuid
from RbacGrants "grant"
inner join grants recur on recur.ascendantUuid = "grant".descendantUuid)
select ascendantUuid
from grants) as grantee
join RbacReference reference on reference.uuid = grantee.ascendantUuid;
$$;
2022-07-29 08:46:04 +02:00
create or replace function isGranted(granteeId uuid, grantedId uuid)
returns bool
returns null on null input
language sql as $$
select granteeId = grantedId or granteeId in (with recursive grants as (select descendantUuid, ascendantUuid
from RbacGrants
where descendantUuid = grantedId
union all
select "grant".descendantUuid, "grant".ascendantUuid
from RbacGrants "grant"
inner join grants recur on recur.ascendantUuid = "grant".descendantUuid)
select ascendantUuid
from grants);
$$;
2022-08-03 06:12:16 +02:00
create or replace function isGranted(granteeIds uuid[], grantedId uuid)
returns bool
returns null on null input
language plpgsql as $$
declare
granteeId uuid;
begin
2022-09-07 12:25:12 +02:00
-- TODO.perf: needs optimization
2022-08-13 16:47:36 +02:00
foreach granteeId in array granteeIds
loop
2022-08-03 06:12:16 +02:00
if isGranted(granteeId, grantedId) then
return true;
end if;
end loop;
return false;
end; $$;
2022-07-29 08:46:04 +02:00
create or replace function isPermissionGrantedToSubject(permissionId uuid, subjectId uuid)
returns BOOL
stable leakproof
language sql as $$
select exists(
select *
from RbacUser
where uuid in (with recursive grants as (select descendantUuid,
ascendantUuid
from RbacGrants g
where g.descendantUuid = permissionId
union all
select g.descendantUuid,
g.ascendantUuid
from RbacGrants g
inner join grants recur on recur.ascendantUuid = g.descendantUuid)
select ascendantUuid
from grants
where ascendantUuid = subjectId)
);
$$;
2022-07-22 13:31:37 +02:00
create or replace function hasGlobalRoleGranted(userUuid uuid)
returns bool
stable leakproof
language sql as $$
select exists(
select r.uuid
2022-08-13 16:47:36 +02:00
from RbacGrants as g
join RbacRole as r on r.uuid = g.descendantuuid
join RbacObject as o on o.uuid = r.objectuuid
where g.ascendantuuid = userUuid
and o.objecttable = 'global'
);
$$;
2022-07-29 08:46:04 +02:00
create or replace procedure grantPermissionsToRole(roleUuid uuid, permissionIds uuid[])
language plpgsql as $$
begin
raise notice 'grantPermissionsToRole: % -> %', roleUuid, permissionIds;
if cardinality(permissionIds) = 0 then return; end if;
2022-07-29 08:46:04 +02:00
for i in array_lower(permissionIds, 1)..array_upper(permissionIds, 1)
loop
perform assertReferenceType('roleId (ascendant)', roleUuid, 'RbacRole');
perform assertReferenceType('permissionId (descendant)', permissionIds[i], 'RbacPermission');
insert
into RbacGrants (ascendantUuid, descendantUuid, assumed)
values (roleUuid, permissionIds[i], true)
on conflict do nothing; -- allow granting multiple times
2022-07-29 08:46:04 +02:00
end loop;
end;
2022-07-22 13:31:37 +02:00
$$;
2022-08-13 16:47:36 +02:00
create or replace procedure grantRoleToRole(subRoleId uuid, superRoleId uuid, doAssume bool = true)
2022-07-29 08:46:04 +02:00
language plpgsql as $$
begin
2022-07-22 13:31:37 +02:00
perform assertReferenceType('superRoleId (ascendant)', superRoleId, 'RbacRole');
2022-07-29 08:46:04 +02:00
perform assertReferenceType('subRoleId (descendant)', subRoleId, 'RbacRole');
2022-07-22 13:31:37 +02:00
if isGranted(subRoleId, superRoleId) then
raise exception '[400] Cyclic role grant detected between % and %', subRoleId, superRoleId;
2022-07-29 08:46:04 +02:00
end if;
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
insert
into RbacGrants (ascendantuuid, descendantUuid, assumed)
values (superRoleId, subRoleId, doAssume)
on conflict do nothing; -- allow granting multiple times
2022-07-29 08:46:04 +02:00
end; $$;
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
create or replace procedure revokeRoleFromRole(subRoleId uuid, superRoleId uuid)
language plpgsql as $$
begin
2022-07-22 13:31:37 +02:00
perform assertReferenceType('superRoleId (ascendant)', superRoleId, 'RbacRole');
2022-07-29 08:46:04 +02:00
perform assertReferenceType('subRoleId (descendant)', subRoleId, 'RbacRole');
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
if (isGranted(subRoleId, superRoleId)) then
delete from RbacGrants where ascendantUuid = superRoleId and descendantUuid = subRoleId;
end if;
end; $$;
2022-07-22 13:31:37 +02:00
-- ============================================================================
--changeset rbac-base-QUERY-ACCESSIBLE-OBJECT-UUIDS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
2022-07-29 08:46:04 +02:00
create or replace function queryAccessibleObjectUuidsOfSubjectIds(
requiredOp RbacOp,
forObjectTable varchar, -- reduces the result set, but is not really faster when used in restricted view
subjectIds uuid[],
maxObjects integer = 8000)
returns setof uuid
returns null on null input
language plpgsql as $$
declare
foundRows bigint;
begin
return query select distinct perm.objectUuid
from (with recursive grants as (select descendantUuid, ascendantUuid, 1 as level
from RbacGrants
2022-08-13 16:47:36 +02:00
where assumed
2022-07-29 08:46:04 +02:00
and ascendantUuid = any (subjectIds)
union
distinct
select "grant".descendantUuid, "grant".ascendantUuid, level + 1 as level
from RbacGrants "grant"
inner join grants recur on recur.descendantUuid = "grant".ascendantUuid
2022-08-13 16:47:36 +02:00
where assumed)
2022-07-29 08:46:04 +02:00
select descendantUuid
from grants) as granted
join RbacPermission perm
on granted.descendantUuid = perm.uuid and perm.op in ('*', requiredOp)
join RbacObject obj on obj.uuid = perm.objectUuid and obj.objectTable = forObjectTable
limit maxObjects + 1;
foundRows = lastRowCount();
if foundRows > maxObjects then
raise exception '[400] Too many accessible objects, limit is %, found %.', maxObjects, foundRows
2022-07-29 08:46:04 +02:00
using
errcode = 'P0003',
hint = 'Please assume a sub-role and try again.';
end if;
end;
2022-07-22 13:31:37 +02:00
$$;
--//
-- ============================================================================
--changeset rbac-base-QUERY-GRANTED-PERMISSIONS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Returns all permissions accessible to the given subject UUID (user or role).
*/
create or replace function queryPermissionsGrantedToSubjectId(subjectId uuid)
2022-07-29 08:46:04 +02:00
returns setof RbacPermission
strict
language sql as $$
2022-08-13 16:47:36 +02:00
-- @formatter:off
select *
2022-07-29 08:46:04 +02:00
from RbacPermission
where uuid in (
with recursive grants as (
select distinct descendantUuid, ascendantUuid
from RbacGrants
where ascendantUuid = subjectId
union all
select "grant".descendantUuid, "grant".ascendantUuid
from RbacGrants "grant"
inner join grants recur on recur.descendantUuid = "grant".ascendantUuid
)
select descendantUuid
from grants
);
-- @formatter:on
2022-07-22 13:31:37 +02:00
$$;
--//
2022-07-22 13:31:37 +02:00
-- ============================================================================
--changeset rbac-base-QUERY-USERS-WITH-PERMISSION-FOR-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Returns all user UUIDs which have any permission for the given object UUID.
*/
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
create or replace function queryAllRbacUsersWithPermissionsFor(objectId uuid)
returns setof RbacUser
returns null on null input
language sql as $$
select *
from RbacUser
where uuid in (
-- @formatter:off
with recursive grants as (
select descendantUuid, ascendantUuid
from RbacGrants
where descendantUuid = objectId
union all
select "grant".descendantUuid, "grant".ascendantUuid
from RbacGrants "grant"
inner join grants recur on recur.ascendantUuid = "grant".descendantUuid
)
-- @formatter:on
select ascendantUuid
from grants);
2022-07-22 13:31:37 +02:00
$$;
--//
2022-07-22 13:31:37 +02:00
-- ============================================================================
--changeset rbac-base-PGSQL-ROLES:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create role admin;
grant all privileges on all tables in schema public to admin;
create role restricted;
grant all privileges on all tables in schema public to restricted;
--//