2022-07-22 13:31:37 +02:00
|
|
|
-- ========================================================
|
|
|
|
-- Package example with RBAC
|
|
|
|
-- --------------------------------------------------------
|
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
set session session authorization default;
|
2022-07-22 13:31:37 +02:00
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
create table if not exists package
|
|
|
|
(
|
|
|
|
uuid uuid unique references RbacObject (uuid),
|
|
|
|
name character varying(5),
|
|
|
|
customerUuid uuid references customer (uuid)
|
2022-07-22 13:31:37 +02:00
|
|
|
);
|
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
create or replace function packageOwner(pac package)
|
|
|
|
returns RbacRoleDescriptor
|
|
|
|
returns null on null input
|
|
|
|
language plpgsql as $$
|
2022-07-27 19:54:05 +02:00
|
|
|
declare
|
|
|
|
roleDesc RbacRoleDescriptor;
|
2022-07-25 16:38:21 +02:00
|
|
|
begin
|
2022-07-27 19:54:05 +02:00
|
|
|
return roleDescriptor('package', pac.uuid, 'admin');
|
2022-07-25 16:38:21 +02:00
|
|
|
end; $$;
|
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
create or replace function packageAdmin(pac package)
|
|
|
|
returns RbacRoleDescriptor
|
|
|
|
returns null on null input
|
|
|
|
language plpgsql as $$
|
2022-07-25 16:38:21 +02:00
|
|
|
begin
|
2022-07-27 19:54:05 +02:00
|
|
|
return roleDescriptor('package', pac.uuid, 'admin');
|
2022-07-25 16:38:21 +02:00
|
|
|
end; $$;
|
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
create or replace function packageTenant(pac package)
|
|
|
|
returns RbacRoleDescriptor
|
|
|
|
returns null on null input
|
|
|
|
language plpgsql as $$
|
2022-07-25 16:38:21 +02:00
|
|
|
begin
|
2022-07-27 19:54:05 +02:00
|
|
|
return roleDescriptor('package', pac.uuid, 'tenant');
|
2022-07-25 16:38:21 +02:00
|
|
|
end; $$;
|
|
|
|
|
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
drop trigger if exists createRbacObjectForPackage_Trigger on package;
|
|
|
|
create trigger createRbacObjectForPackage_Trigger
|
|
|
|
before insert
|
|
|
|
on package
|
|
|
|
for each row
|
|
|
|
execute procedure createRbacObject();
|
2022-07-22 13:31:37 +02:00
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
create or replace function createRbacRulesForPackage()
|
|
|
|
returns trigger
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
declare
|
|
|
|
parentCustomer customer;
|
2022-07-25 16:38:21 +02:00
|
|
|
packageOwnerRoleUuid uuid;
|
|
|
|
packageAdminRoleUuid uuid;
|
2022-07-29 08:46:04 +02:00
|
|
|
begin
|
|
|
|
if TG_OP <> 'INSERT' then
|
|
|
|
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
|
|
|
end if;
|
2022-07-22 13:31:37 +02:00
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
select * from customer as c where c.uuid = NEW.customerUuid into parentCustomer;
|
2022-07-22 13:31:37 +02:00
|
|
|
|
2022-07-25 16:38:21 +02:00
|
|
|
-- an owner role is created and assigned to the customer's admin role
|
|
|
|
packageOwnerRoleUuid = createRole(
|
2022-07-27 19:54:05 +02:00
|
|
|
packageOwner(NEW),
|
2022-07-29 08:46:04 +02:00
|
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
2022-07-27 19:54:05 +02:00
|
|
|
beneathRole(customerAdmin(parentCustomer))
|
2022-07-25 16:38:21 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
-- an owner role is created and assigned to the package owner role
|
|
|
|
packageAdminRoleUuid = createRole(
|
2022-07-27 19:54:05 +02:00
|
|
|
packageAdmin(NEW),
|
2022-07-29 08:46:04 +02:00
|
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit', 'add-unixuser', 'add-domain']),
|
2022-07-25 16:38:21 +02:00
|
|
|
beneathRole(packageOwnerRoleUuid)
|
|
|
|
);
|
|
|
|
|
|
|
|
-- and a package tenant role is created and assigned to the package admin as well
|
|
|
|
perform createRole(
|
2022-07-27 19:54:05 +02:00
|
|
|
packageTenant(NEW),
|
2022-07-29 08:46:04 +02:00
|
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
|
2022-07-25 16:38:21 +02:00
|
|
|
beneathRole(packageAdminRoleUuid),
|
2022-07-27 19:54:05 +02:00
|
|
|
beingItselfA(customerTenant(parentCustomer))
|
2022-07-25 16:38:21 +02:00
|
|
|
);
|
2022-07-22 13:31:37 +02:00
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
return NEW;
|
|
|
|
end; $$;
|
2022-07-22 13:31:37 +02:00
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
drop trigger if exists createRbacRulesForPackage_Trigger on package;
|
|
|
|
create trigger createRbacRulesForPackage_Trigger
|
|
|
|
after insert
|
|
|
|
on package
|
|
|
|
for each row
|
|
|
|
execute procedure createRbacRulesForPackage();
|
|
|
|
|
|
|
|
create or replace function deleteRbacRulesForPackage()
|
|
|
|
returns trigger
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
begin
|
|
|
|
if TG_OP = 'DELETE' then
|
2022-07-22 13:31:37 +02:00
|
|
|
-- TODO
|
2022-07-29 08:46:04 +02:00
|
|
|
else
|
|
|
|
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
|
|
|
end if;
|
|
|
|
end; $$;
|
2022-07-22 13:31:37 +02:00
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
drop trigger if exists deleteRbacRulesForPackage_Trigger on customer;
|
|
|
|
create trigger deleteRbacRulesForPackage_Trigger
|
|
|
|
before delete
|
|
|
|
on customer
|
|
|
|
for each row
|
|
|
|
execute procedure deleteRbacRulesForPackage();
|
2022-07-22 13:31:37 +02:00
|
|
|
|
2022-07-27 12:32:54 +02:00
|
|
|
-- create RBAC-restricted view
|
2022-07-29 08:46:04 +02:00
|
|
|
set session session authorization default;
|
2022-07-28 10:43:23 +02:00
|
|
|
-- ALTER TABLE package ENABLE ROW LEVEL SECURITY;
|
2022-07-29 08:46:04 +02:00
|
|
|
drop view if exists package_rv;
|
|
|
|
create or replace view package_rv as
|
|
|
|
select distinct target.*
|
|
|
|
from package as target
|
|
|
|
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'package', currentSubjectIds()));
|
|
|
|
grant all privileges on package_rv to restricted;
|
2022-07-22 13:31:37 +02:00
|
|
|
|
|
|
|
|
|
|
|
-- generate Package test data
|
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
do language plpgsql $$
|
|
|
|
declare
|
|
|
|
cust customer;
|
|
|
|
pacName varchar;
|
2022-07-22 13:31:37 +02:00
|
|
|
currentTask varchar;
|
2022-07-29 08:46:04 +02:00
|
|
|
custAdmin varchar;
|
|
|
|
begin
|
|
|
|
set hsadminng.currentUser to '';
|
|
|
|
|
|
|
|
for cust in (select * from customer)
|
|
|
|
loop
|
|
|
|
-- CONTINUE WHEN cust.reference < 18000;
|
|
|
|
|
|
|
|
for t in 0..randominrange(1, 2)
|
|
|
|
loop
|
|
|
|
pacName = cust.prefix || to_char(t, 'fm00');
|
|
|
|
currentTask = 'creating RBAC test package #' || pacName || ' for customer ' || cust.prefix || ' #' ||
|
|
|
|
cust.uuid;
|
|
|
|
raise notice 'task: %', currentTask;
|
|
|
|
|
|
|
|
custAdmin = 'admin@' || cust.prefix || '.example.com';
|
|
|
|
set local hsadminng.currentUser to custAdmin;
|
|
|
|
set local hsadminng.assumedRoles = '';
|
|
|
|
set local hsadminng.currentTask to currentTask;
|
|
|
|
|
|
|
|
insert
|
|
|
|
into package (name, customerUuid)
|
|
|
|
values (pacName, cust.uuid);
|
|
|
|
|
|
|
|
commit;
|
|
|
|
end loop;
|
|
|
|
end loop;
|
|
|
|
end;
|
2022-07-22 13:31:37 +02:00
|
|
|
$$;
|
|
|
|
|