hs.hsadmin.ng/src/main/resources/db/changelog/2022-07-29-070-hs-package-rbac.sql

--liquibase formatted sql

-- ============================================================================
--changeset hs-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Creates the related RbacObject through a BEFORE INSERT TRIGGER.
 */
drop trigger if exists createRbacObjectForPackage_Trigger on package;
create trigger createRbacObjectForPackage_Trigger
    before insert
    on package
    for each row
execute procedure createRbacObject();
--//


-- ============================================================================
--changeset hs-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

create or replace function packageOwner(pac package)
    returns RbacRoleDescriptor
    returns null on null input
    language plpgsql as $$
begin
    return roleDescriptor('package', pac.uuid, 'admin');
end; $$;

create or replace function packageAdmin(pac package)
    returns RbacRoleDescriptor
    returns null on null input
    language plpgsql as $$
begin
    return roleDescriptor('package', pac.uuid, 'admin');
end; $$;

create or replace function packageTenant(pac package)
    returns RbacRoleDescriptor
    returns null on null input
    language plpgsql as $$
begin
    return roleDescriptor('package', pac.uuid, 'tenant');
end; $$;
--//


-- ============================================================================
--changeset hs-package-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER.
 */
create or replace function createRbacRolesForPackage()
    returns trigger
    language plpgsql
    strict as $$
declare
    parentCustomer       customer;
    packageOwnerRoleUuid uuid;
    packageAdminRoleUuid uuid;
begin
    if TG_OP <> 'INSERT' then
        raise exception 'invalid usage of TRIGGER AFTER INSERT';
    end if;

    select * from customer as c where c.uuid = NEW.customerUuid into parentCustomer;

    -- an owner role is created and assigned to the customer's admin role
    packageOwnerRoleUuid = createRole(
        packageOwner(NEW),
        withoutPermissions(),
        beneathRole(customerAdmin(parentCustomer))
        );

    -- an owner role is created and assigned to the package owner role
    packageAdminRoleUuid = createRole(
        packageAdmin(NEW),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-unixuser', 'add-domain']),
        beneathRole(packageOwnerRoleUuid)
        );

    -- and a package tenant role is created and assigned to the package admin as well
    perform createRole(
        packageTenant(NEW),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
        beneathRole(packageAdminRoleUuid),
        beingItselfA(customerTenant(parentCustomer))
        );

    return NEW;
end; $$;

/*
    An AFTER INSERT TRIGGER which creates the role structure for a new package.
 */

drop trigger if exists createRbacRolesForPackage_Trigger on package;
create trigger createRbacRolesForPackage_Trigger
    after insert
    on package
    for each row
execute procedure createRbacRolesForPackage();
--//

-- ============================================================================
--changeset hs-package-rbac-ROLES-REMOVAL:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Deletes the roles and their assignments of a deleted package for the BEFORE DELETE TRIGGER.
 */

create or replace function deleteRbacRulesForPackage()
    returns trigger
    language plpgsql
    strict as $$
begin
    if TG_OP = 'DELETE' then
        call deleteRole(findRoleId(packageOwner(OLD)));
        call deleteRole(findRoleId(packageAdmin(OLD)));
        call deleteRole(findRoleId(packageTenant(OLD)));
    else
        raise exception 'invalid usage of TRIGGER BEFORE DELETE';
    end if;
end; $$;

/*
    An BEFORE DELETE TRIGGER which deletes the role structure of a package.
 */

drop trigger if exists deleteRbacRulesForPackage_Trigger on package;
create trigger deleteRbacRulesForPackage_Trigger
    before delete
    on package
    for each row
execute procedure deleteRbacRulesForPackage();
--//


-- ============================================================================
--changeset hs-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates a view to the package main table which maps the identifying name
    (in this case, actually the column `name`) to the objectUuid.
 */
drop view if exists package_iv;
create or replace view package_iv as
select distinct target.uuid, target.name as idName
    from package as target;
-- TODO: Is it ok that everybody has access to this information?
grant all privileges on package_iv to restricted;

/*
    Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
 */
create or replace function packageUuidByIdName(idName varchar)
    returns uuid
    language sql
    strict as $$
select uuid from package_iv iv where iv.idName = packageUuidByIdName.idName;
$$;

/*
    Returns the identifying name for a given objectUuid (in this case the name).
 */
create or replace function packageIdNameByUuid(uuid uuid)
    returns varchar
    language sql
    strict as $$
select idName from package_iv iv where iv.uuid = packageIdNameByUuid.uuid;
$$;
--//


-- ============================================================================
--changeset hs-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates a view to the customer main table which maps the identifying name
    (in this case, the prefix) to the objectUuid.
 */
drop view if exists package_rv;
create or replace view package_rv as
select target.*
    from package as target
    where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'package', currentSubjectIds()));
grant all privileges on package_rv to restricted;
--//
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--liquibase formatted sql`

			`-- ============================================================================`
			`--changeset hs-package-rbac-CREATE-OBJECT:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`
			`/*`
			`Creates the related RbacObject through a BEFORE INSERT TRIGGER.`
			`*/`
			`drop trigger if exists createRbacObjectForPackage_Trigger on package;`
			`create trigger createRbacObjectForPackage_Trigger`
			`before insert`
			`on package`
			`for each row`
			`execute procedure createRbacObject();`
			`--//`
removing JHipster 2022-07-22 13:31:37 +02:00

hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ============================================================================`
			`--changeset hs-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`
removing JHipster 2022-07-22 13:31:37 +02:00
formatted SQL code 2022-07-29 08:46:04 +02:00			`create or replace function packageOwner(pac package)`
			`returns RbacRoleDescriptor`
			`returns null on null input`
			`language plpgsql as $$`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`begin`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`return roleDescriptor('package', pac.uuid, 'admin');`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`end; $$;`

formatted SQL code 2022-07-29 08:46:04 +02:00			`create or replace function packageAdmin(pac package)`
			`returns RbacRoleDescriptor`
			`returns null on null input`
			`language plpgsql as $$`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`begin`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`return roleDescriptor('package', pac.uuid, 'admin');`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`end; $$;`

formatted SQL code 2022-07-29 08:46:04 +02:00			`create or replace function packageTenant(pac package)`
			`returns RbacRoleDescriptor`
			`returns null on null input`
			`language plpgsql as $$`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`begin`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`return roleDescriptor('package', pac.uuid, 'tenant');`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`end; $$;`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00

hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ============================================================================`
			`--changeset hs-package-rbac-ROLES-CREATION:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`
			`/*`
			`Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER.`
			`*/`
			`create or replace function createRbacRolesForPackage()`
formatted SQL code 2022-07-29 08:46:04 +02:00			`returns trigger`
			`language plpgsql`
			`strict as $$`
			`declare`
			`parentCustomer customer;`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`packageOwnerRoleUuid uuid;`
			`packageAdminRoleUuid uuid;`
formatted SQL code 2022-07-29 08:46:04 +02:00			`begin`
			`if TG_OP <> 'INSERT' then`
			`raise exception 'invalid usage of TRIGGER AFTER INSERT';`
			`end if;`
removing JHipster 2022-07-22 13:31:37 +02:00
formatted SQL code 2022-07-29 08:46:04 +02:00			`select * from customer as c where c.uuid = NEW.customerUuid into parentCustomer;`
removing JHipster 2022-07-22 13:31:37 +02:00
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`-- an owner role is created and assigned to the customer's admin role`
			`packageOwnerRoleUuid = createRole(`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`packageOwner(NEW),`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`withoutPermissions(),`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`beneathRole(customerAdmin(parentCustomer))`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`);`

			`-- an owner role is created and assigned to the package owner role`
			`packageAdminRoleUuid = createRole(`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`packageAdmin(NEW),`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-unixuser', 'add-domain']),`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`beneathRole(packageOwnerRoleUuid)`
			`);`

			`-- and a package tenant role is created and assigned to the package admin as well`
			`perform createRole(`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`packageTenant(NEW),`
formatted SQL code 2022-07-29 08:46:04 +02:00			`grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`beneathRole(packageAdminRoleUuid),`
introduce referential integrity for role identification - part 1 2022-07-27 19:54:05 +02:00			`beingItselfA(customerTenant(parentCustomer))`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`);`
removing JHipster 2022-07-22 13:31:37 +02:00
formatted SQL code 2022-07-29 08:46:04 +02:00			`return NEW;`
			`end; $$;`
removing JHipster 2022-07-22 13:31:37 +02:00
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`/*`
			`An AFTER INSERT TRIGGER which creates the role structure for a new package.`
			`*/`

			`drop trigger if exists createRbacRolesForPackage_Trigger on package;`
			`create trigger createRbacRolesForPackage_Trigger`
formatted SQL code 2022-07-29 08:46:04 +02:00			`after insert`
			`on package`
			`for each row`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`execute procedure createRbacRolesForPackage();`
			`--//`

			`-- ============================================================================`
			`--changeset hs-package-rbac-ROLES-REMOVAL:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`

			`/*`
			`Deletes the roles and their assignments of a deleted package for the BEFORE DELETE TRIGGER.`
			`*/`
formatted SQL code 2022-07-29 08:46:04 +02:00
			`create or replace function deleteRbacRulesForPackage()`
			`returns trigger`
			`language plpgsql`
			`strict as $$`
			`begin`
			`if TG_OP = 'DELETE' then`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`call deleteRole(findRoleId(packageOwner(OLD)));`
			`call deleteRole(findRoleId(packageAdmin(OLD)));`
			`call deleteRole(findRoleId(packageTenant(OLD)));`
formatted SQL code 2022-07-29 08:46:04 +02:00			`else`
			`raise exception 'invalid usage of TRIGGER BEFORE DELETE';`
			`end if;`
			`end; $$;`
removing JHipster 2022-07-22 13:31:37 +02:00
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`/*`
			`An BEFORE DELETE TRIGGER which deletes the role structure of a package.`
			`*/`

			`drop trigger if exists deleteRbacRulesForPackage_Trigger on package;`
formatted SQL code 2022-07-29 08:46:04 +02:00			`create trigger deleteRbacRulesForPackage_Trigger`
			`before delete`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`on package`
formatted SQL code 2022-07-29 08:46:04 +02:00			`for each row`
			`execute procedure deleteRbacRulesForPackage();`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`
removing JHipster 2022-07-22 13:31:37 +02:00
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00
			`-- ============================================================================`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00			`--changeset hs-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`

			`/*`
			`Creates a view to the package main table which maps the identifying name`
			(in this case, actually the column `name`) to the objectUuid.
			`*/`
			`drop view if exists package_iv;`
			`create or replace view package_iv as`
			`select distinct target.uuid, target.name as idName`
			`from package as target;`
			`-- TODO: Is it ok that everybody has access to this information?`
			`grant all privileges on package_iv to restricted;`

			`/*`
			Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
			`*/`
			`create or replace function packageUuidByIdName(idName varchar)`
			`returns uuid`
			`language sql`
			`strict as $$`
			`select uuid from package_iv iv where iv.idName = packageUuidByIdName.idName;`
			`$$;`
add RbacRole... 2022-08-03 06:12:16 +02:00
			`/*`
			`Returns the identifying name for a given objectUuid (in this case the name).`
			`*/`
			`create or replace function packageIdNameByUuid(uuid uuid)`
			`returns varchar`
			`language sql`
			`strict as $$`
			`select idName from package_iv iv where iv.uuid = packageIdNameByUuid.uuid;`
			`$$;`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00			`--//`


			`-- ============================================================================`
			`--changeset hs-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`

			`/*`
			`Creates a view to the customer main table which maps the identifying name`
			`(in this case, the prefix) to the objectUuid.`
			`*/`
formatted SQL code 2022-07-29 08:46:04 +02:00			`drop view if exists package_rv;`
			`create or replace view package_rv as`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00			`select target.*`
formatted SQL code 2022-07-29 08:46:04 +02:00			`from package as target`
			`where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'package', currentSubjectIds()));`
			`grant all privileges on package_rv to restricted;`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`