2022-07-28 17:17:22 +02:00
|
|
|
--liquibase formatted sql
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-29 11:38:51 +02:00
|
|
|
-- ============================================================================
|
2022-07-28 17:17:22 +02:00
|
|
|
-- PERMISSIONS
|
|
|
|
--changeset rbac-role-builder-permissions:1 endDelimiter:--//
|
2022-07-29 11:38:51 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
2022-07-28 17:17:22 +02:00
|
|
|
/*
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-28 17:17:22 +02:00
|
|
|
*/
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
create type RbacPermissions as
|
2022-07-25 16:38:21 +02:00
|
|
|
(
|
|
|
|
permissionUuids uuid[]
|
|
|
|
);
|
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
create or replace function grantingPermissions(forObjectUuid uuid, permitOps RbacOp[])
|
|
|
|
returns RbacPermissions
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
begin
|
|
|
|
return row (createPermissions(forObjectUuid, permitOps))::RbacPermissions;
|
|
|
|
end; $$;
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-29 12:37:40 +02:00
|
|
|
create or replace function withoutPermissions()
|
|
|
|
returns RbacPermissions
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
begin
|
2022-08-16 10:46:41 +02:00
|
|
|
return row (array []::uuid[]);
|
2022-07-29 12:37:40 +02:00
|
|
|
end; $$;
|
|
|
|
|
2022-07-28 17:17:22 +02:00
|
|
|
--//
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-28 17:17:22 +02:00
|
|
|
--changeset rbac-role-builder-super-roles:1 endDelimiter:--//
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
|
|
|
*/
|
2022-07-29 08:46:04 +02:00
|
|
|
create type RbacSuperRoles as
|
2022-07-25 16:38:21 +02:00
|
|
|
(
|
|
|
|
roleUuids uuid[]
|
|
|
|
);
|
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
create or replace function beneathRoles(roleDescriptors RbacRoleDescriptor[])
|
|
|
|
returns RbacSuperRoles
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
declare
|
2022-07-27 19:54:05 +02:00
|
|
|
superRoleDescriptor RbacRoleDescriptor;
|
2022-07-29 08:46:04 +02:00
|
|
|
superRoleUuids uuid[] := array []::uuid[];
|
|
|
|
begin
|
|
|
|
foreach superRoleDescriptor in array roleDescriptors
|
|
|
|
loop
|
|
|
|
superRoleUuids := superRoleUuids || getRoleId(superRoleDescriptor, 'fail');
|
|
|
|
end loop;
|
|
|
|
|
|
|
|
return row (superRoleUuids)::RbacSuperRoles;
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
create or replace function beneathRole(roleDescriptor RbacRoleDescriptor)
|
|
|
|
returns RbacSuperRoles
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
begin
|
|
|
|
return beneathRoles(array [roleDescriptor]);
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
create or replace function beneathRole(roleUuid uuid)
|
|
|
|
returns RbacSuperRoles
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
begin
|
|
|
|
return row (array [roleUuid]::uuid[])::RbacSuperRoles;
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
create or replace function asTopLevelRole()
|
|
|
|
returns RbacSuperRoles
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
begin
|
|
|
|
return row (array []::uuid[])::RbacSuperRoles;
|
|
|
|
end; $$;
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-28 17:17:22 +02:00
|
|
|
--//
|
|
|
|
|
|
|
|
-- =================================================================
|
|
|
|
-- SUB ROLES
|
|
|
|
--changeset rbac-role-builder-sub-roles:1 endDelimiter:--//
|
|
|
|
-- -----------------------------------------------------------------
|
|
|
|
|
|
|
|
/*
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-28 17:17:22 +02:00
|
|
|
*/
|
2022-07-29 08:46:04 +02:00
|
|
|
create type RbacSubRoles as
|
2022-07-25 16:38:21 +02:00
|
|
|
(
|
|
|
|
roleUuids uuid[]
|
|
|
|
);
|
|
|
|
|
|
|
|
-- drop FUNCTION beingItselfA(roleUuid uuid)
|
2022-07-29 08:46:04 +02:00
|
|
|
create or replace function beingItselfA(roleUuid uuid)
|
|
|
|
returns RbacSubRoles
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
begin
|
|
|
|
return row (array [roleUuid]::uuid[])::RbacSubRoles;
|
|
|
|
end; $$;
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-27 19:54:05 +02:00
|
|
|
-- drop FUNCTION beingItselfA(roleDescriptor RbacRoleDescriptor)
|
2022-07-29 08:46:04 +02:00
|
|
|
create or replace function beingItselfA(roleDescriptor RbacRoleDescriptor)
|
|
|
|
returns RbacSubRoles
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
begin
|
|
|
|
return beingItselfA(getRoleId(roleDescriptor, 'fail'));
|
|
|
|
end; $$;
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-09-09 17:43:43 +02:00
|
|
|
create or replace function withSubRoles(roleDescriptors RbacRoleDescriptor[])
|
|
|
|
returns RbacSubRoles
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
declare
|
|
|
|
subRoleDescriptor RbacRoleDescriptor;
|
|
|
|
subRoleUuids uuid[] := array []::uuid[];
|
|
|
|
begin
|
|
|
|
foreach subRoleDescriptor in array roleDescriptors
|
|
|
|
loop
|
|
|
|
subRoleUuids := subRoleUuids || getRoleId(subRoleDescriptor, 'fail');
|
|
|
|
end loop;
|
|
|
|
|
|
|
|
return row (subRoleUuids)::RbacSubRoles;
|
|
|
|
end; $$;
|
|
|
|
|
2022-09-06 19:43:15 +02:00
|
|
|
create or replace function withoutSubRoles()
|
|
|
|
returns RbacSubRoles
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
begin
|
|
|
|
return row (array []::uuid[]);
|
|
|
|
end; $$;
|
|
|
|
|
2022-07-28 17:17:22 +02:00
|
|
|
--//
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-28 17:17:22 +02:00
|
|
|
-- =================================================================
|
|
|
|
-- USERS
|
|
|
|
--changeset rbac-role-builder-users:1 endDelimiter:--//
|
|
|
|
-- -----------------------------------------------------------------
|
|
|
|
|
|
|
|
/*
|
|
|
|
*/
|
2022-07-29 08:46:04 +02:00
|
|
|
create type RbacUsers as
|
2022-07-25 16:38:21 +02:00
|
|
|
(
|
|
|
|
userUuids uuid[]
|
|
|
|
);
|
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
create or replace function withUsers(userNames varchar[])
|
|
|
|
returns RbacUsers
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
declare
|
|
|
|
userName varchar;
|
|
|
|
userUuids uuid[] := array []::uuid[];
|
|
|
|
begin
|
|
|
|
foreach userName in array userNames
|
|
|
|
loop
|
|
|
|
userUuids := userUuids || getRbacUserId(userName, 'fail');
|
|
|
|
end loop;
|
|
|
|
|
|
|
|
return row (userUuids)::RbacUsers;
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
|
|
|
|
create or replace function withUser(userName varchar, whenNotExists RbacWhenNotExists = 'fail')
|
|
|
|
returns RbacUsers
|
|
|
|
returns null on null input
|
|
|
|
language plpgsql as $$
|
|
|
|
begin
|
|
|
|
return row (array [getRbacUserId(userName, whenNotExists)]);
|
|
|
|
end; $$;
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-28 17:17:22 +02:00
|
|
|
--//
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-28 17:17:22 +02:00
|
|
|
-- =================================================================
|
|
|
|
-- CREATE ROLE
|
|
|
|
--changeset rbac-role-builder-create-role:1 endDelimiter:--//
|
|
|
|
-- -----------------------------------------------------------------
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-07-28 17:17:22 +02:00
|
|
|
/*
|
|
|
|
*/
|
2022-07-29 08:46:04 +02:00
|
|
|
create or replace function createRole(
|
2022-07-27 19:54:05 +02:00
|
|
|
roleDescriptor RbacRoleDescriptor,
|
2022-07-25 16:38:21 +02:00
|
|
|
permissions RbacPermissions,
|
|
|
|
superRoles RbacSuperRoles,
|
|
|
|
subRoles RbacSubRoles = null,
|
2022-08-16 10:46:41 +02:00
|
|
|
users RbacUsers = null,
|
|
|
|
grantingRoleUuid uuid = null
|
2022-07-25 16:38:21 +02:00
|
|
|
)
|
2022-07-29 08:46:04 +02:00
|
|
|
returns uuid
|
|
|
|
called on null input
|
|
|
|
language plpgsql as $$
|
|
|
|
declare
|
|
|
|
roleUuid uuid;
|
2022-07-25 16:38:21 +02:00
|
|
|
superRoleUuid uuid;
|
2022-07-29 08:46:04 +02:00
|
|
|
subRoleUuid uuid;
|
|
|
|
userUuid uuid;
|
|
|
|
begin
|
|
|
|
raise notice 'will createRole for %', roleDescriptor;
|
2022-07-27 19:54:05 +02:00
|
|
|
roleUuid = createRole(roleDescriptor);
|
2022-07-25 16:38:21 +02:00
|
|
|
|
|
|
|
call grantPermissionsToRole(roleUuid, permissions.permissionUuids);
|
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
if superRoles is not null then
|
|
|
|
foreach superRoleUuid in array superRoles.roleuUids
|
|
|
|
loop
|
|
|
|
call grantRoleToRole(roleUuid, superRoleUuid);
|
|
|
|
end loop;
|
|
|
|
end if;
|
|
|
|
|
|
|
|
if subRoles is not null then
|
|
|
|
foreach subRoleUuid in array subRoles.roleuUids
|
|
|
|
loop
|
|
|
|
call grantRoleToRole(subRoleUuid, roleUuid);
|
|
|
|
end loop;
|
|
|
|
end if;
|
|
|
|
|
|
|
|
if users is not null then
|
|
|
|
foreach userUuid in array users.useruUids
|
|
|
|
loop
|
2022-08-16 10:46:41 +02:00
|
|
|
call grantRoleToUserUnchecked(grantingRoleUuid, roleUuid, userUuid);
|
2022-07-29 08:46:04 +02:00
|
|
|
end loop;
|
|
|
|
end if;
|
|
|
|
|
|
|
|
return roleUuid;
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
create or replace function createRole(
|
2022-07-27 19:54:05 +02:00
|
|
|
roleDescriptor RbacRoleDescriptor,
|
2022-07-25 16:38:21 +02:00
|
|
|
permissions RbacPermissions,
|
2022-08-16 10:46:41 +02:00
|
|
|
users RbacUsers = null,
|
|
|
|
grantingRoleUuid uuid = null
|
2022-07-25 16:38:21 +02:00
|
|
|
)
|
2022-07-29 08:46:04 +02:00
|
|
|
returns uuid
|
|
|
|
called on null input
|
|
|
|
language plpgsql as $$
|
|
|
|
begin
|
2022-08-16 10:46:41 +02:00
|
|
|
return createRole(roleDescriptor, permissions, null, null, users, grantingRoleUuid);
|
2022-07-29 08:46:04 +02:00
|
|
|
end; $$;
|
|
|
|
|
|
|
|
create or replace function createRole(
|
2022-07-27 19:54:05 +02:00
|
|
|
roleDescriptor RbacRoleDescriptor,
|
2022-07-25 16:38:21 +02:00
|
|
|
permissions RbacPermissions,
|
|
|
|
subRoles RbacSubRoles,
|
2022-08-16 10:46:41 +02:00
|
|
|
users RbacUsers = null,
|
|
|
|
grantingRoleUuid uuid = null
|
2022-07-25 16:38:21 +02:00
|
|
|
)
|
2022-07-29 08:46:04 +02:00
|
|
|
returns uuid
|
|
|
|
called on null input
|
|
|
|
language plpgsql as $$
|
|
|
|
begin
|
2022-08-16 10:46:41 +02:00
|
|
|
return createRole(roleDescriptor, permissions, null, subRoles, users, grantingRoleUuid);
|
2022-07-29 08:46:04 +02:00
|
|
|
end; $$;
|
2022-08-16 10:46:41 +02:00
|
|
|
--//
|
2022-07-25 16:38:21 +02:00
|
|
|
|
2022-08-16 10:46:41 +02:00
|
|
|
-- =================================================================
|
|
|
|
-- CREATE ROLE
|
|
|
|
--changeset rbac-role-builder-GRANTED-BY-ROLE:1 endDelimiter:--//
|
|
|
|
-- -----------------------------------------------------------------
|
|
|
|
|
|
|
|
/*
|
|
|
|
Used in role-builder-DSL to convert a role descriptor to it's uuid
|
|
|
|
for use as `grantedByRoleUuid`.
|
|
|
|
*/
|
|
|
|
create or replace function grantedByRole(roleDescriptor RbacRoleDescriptor)
|
|
|
|
returns uuid
|
|
|
|
strict leakproof
|
|
|
|
language plpgsql as $$
|
|
|
|
begin
|
|
|
|
return getRoleId(roledescriptor, 'fail');
|
|
|
|
end; $$;
|
2022-07-28 17:17:22 +02:00
|
|
|
--//
|
2022-08-16 10:46:41 +02:00
|
|
|
|
|
|
|
|