2022-07-29 11:39:32 +02:00
|
|
|
--liquibase formatted sql
|
2024-03-26 11:25:18 +01:00
|
|
|
-- This code generated was by RbacViewPostgresGenerator, do not amend manually.
|
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
|
2022-07-29 11:39:32 +02:00
|
|
|
-- ============================================================================
|
2022-09-16 15:25:58 +02:00
|
|
|
--changeset test-customer-rbac-OBJECT:1 endDelimiter:--//
|
2022-07-29 11:39:32 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
2022-09-16 15:25:58 +02:00
|
|
|
call generateRelatedRbacObject('test_customer');
|
2022-07-29 11:39:32 +02:00
|
|
|
--//
|
|
|
|
|
2022-09-16 15:25:58 +02:00
|
|
|
|
2022-07-29 11:39:32 +02:00
|
|
|
-- ============================================================================
|
2022-08-31 09:42:40 +02:00
|
|
|
--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
2022-07-29 11:39:32 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
2022-09-16 15:25:58 +02:00
|
|
|
call generateRbacRoleDescriptors('testCustomer', 'test_customer');
|
2022-07-29 11:39:32 +02:00
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
2024-03-11 12:30:43 +01:00
|
|
|
--changeset test-customer-rbac-insert-trigger:1 endDelimiter:--//
|
2022-07-29 11:39:32 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
2022-07-29 08:46:04 +02:00
|
|
|
|
2022-07-29 11:39:32 +02:00
|
|
|
/*
|
2024-03-11 12:30:43 +01:00
|
|
|
Creates the roles, grants and permission for the AFTER INSERT TRIGGER.
|
2022-07-29 11:39:32 +02:00
|
|
|
*/
|
2022-07-29 08:46:04 +02:00
|
|
|
|
2024-03-11 12:30:43 +01:00
|
|
|
create or replace procedure buildRbacSystemForTestCustomer(
|
|
|
|
NEW test_customer
|
|
|
|
)
|
|
|
|
language plpgsql as $$
|
|
|
|
|
2022-07-29 08:46:04 +02:00
|
|
|
declare
|
|
|
|
|
2024-03-11 12:30:43 +01:00
|
|
|
begin
|
2024-02-24 09:04:07 +01:00
|
|
|
call enterTriggerForObjectUuid(NEW.uuid);
|
|
|
|
|
2024-03-11 12:30:43 +01:00
|
|
|
perform createRoleWithGrants(
|
2024-04-02 12:01:37 +02:00
|
|
|
testCustomerOWNER(NEW),
|
2024-03-11 12:30:43 +01:00
|
|
|
permissions => array['DELETE'],
|
2024-04-02 12:01:37 +02:00
|
|
|
incomingSuperRoles => array[globalADMIN(unassumed())],
|
2024-03-26 11:25:18 +01:00
|
|
|
userUuids => array[currentUserUuid()]
|
2024-03-11 12:30:43 +01:00
|
|
|
);
|
2022-07-29 08:46:04 +02:00
|
|
|
|
2024-03-11 12:30:43 +01:00
|
|
|
perform createRoleWithGrants(
|
2024-04-02 12:01:37 +02:00
|
|
|
testCustomerADMIN(NEW),
|
2024-03-11 12:30:43 +01:00
|
|
|
permissions => array['UPDATE'],
|
2024-04-02 12:01:37 +02:00
|
|
|
incomingSuperRoles => array[testCustomerOWNER(NEW)]
|
2024-03-11 12:30:43 +01:00
|
|
|
);
|
2022-07-29 08:46:04 +02:00
|
|
|
|
2022-10-12 15:48:56 +02:00
|
|
|
perform createRoleWithGrants(
|
2024-04-02 12:01:37 +02:00
|
|
|
testCustomerTENANT(NEW),
|
2024-03-11 12:30:43 +01:00
|
|
|
permissions => array['SELECT'],
|
2024-04-02 12:01:37 +02:00
|
|
|
incomingSuperRoles => array[testCustomerADMIN(NEW)]
|
2024-03-11 12:30:43 +01:00
|
|
|
);
|
2022-07-29 08:46:04 +02:00
|
|
|
|
2024-02-24 09:04:07 +01:00
|
|
|
call leaveTriggerForObjectUuid(NEW.uuid);
|
2022-07-29 08:46:04 +02:00
|
|
|
end; $$;
|
|
|
|
|
2022-07-29 11:39:32 +02:00
|
|
|
/*
|
2024-03-11 12:30:43 +01:00
|
|
|
AFTER INSERT TRIGGER to create the role+grant structure for a new test_customer row.
|
2022-07-29 11:39:32 +02:00
|
|
|
*/
|
|
|
|
|
2024-03-11 12:30:43 +01:00
|
|
|
create or replace function insertTriggerForTestCustomer_tf()
|
|
|
|
returns trigger
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
begin
|
|
|
|
call buildRbacSystemForTestCustomer(NEW);
|
|
|
|
return NEW;
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
create trigger insertTriggerForTestCustomer_tg
|
|
|
|
after insert on test_customer
|
2022-07-29 08:46:04 +02:00
|
|
|
for each row
|
2024-03-11 12:30:43 +01:00
|
|
|
execute procedure insertTriggerForTestCustomer_tf();
|
2022-07-29 11:39:32 +02:00
|
|
|
--//
|
|
|
|
|
2024-03-26 11:25:18 +01:00
|
|
|
|
2024-03-11 12:30:43 +01:00
|
|
|
-- ============================================================================
|
|
|
|
--changeset test-customer-rbac-INSERT:1 endDelimiter:--//
|
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
2024-03-26 11:25:18 +01:00
|
|
|
/*
|
|
|
|
Creates INSERT INTO test_customer permissions for the related global rows.
|
|
|
|
*/
|
|
|
|
do language plpgsql $$
|
|
|
|
declare
|
|
|
|
row global;
|
|
|
|
begin
|
|
|
|
call defineContext('create INSERT INTO test_customer permissions for the related global rows');
|
|
|
|
|
|
|
|
FOR row IN SELECT * FROM global
|
|
|
|
LOOP
|
2024-03-28 12:15:13 +01:00
|
|
|
call grantPermissionToRole(
|
|
|
|
createPermission(row.uuid, 'INSERT', 'test_customer'),
|
2024-04-02 12:01:37 +02:00
|
|
|
globalADMIN());
|
2024-03-26 11:25:18 +01:00
|
|
|
END LOOP;
|
|
|
|
END;
|
|
|
|
$$;
|
|
|
|
|
|
|
|
/**
|
|
|
|
Adds test_customer INSERT permission to specified role of new global rows.
|
|
|
|
*/
|
|
|
|
create or replace function test_customer_global_insert_tf()
|
|
|
|
returns trigger
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
begin
|
|
|
|
call grantPermissionToRole(
|
|
|
|
createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
2024-04-02 12:01:37 +02:00
|
|
|
globalADMIN());
|
2024-03-26 11:25:18 +01:00
|
|
|
return NEW;
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
|
|
|
create trigger z_test_customer_global_insert_tg
|
|
|
|
after insert on global
|
|
|
|
for each row
|
|
|
|
execute procedure test_customer_global_insert_tf();
|
|
|
|
|
2024-03-11 12:30:43 +01:00
|
|
|
/**
|
2024-03-26 11:25:18 +01:00
|
|
|
Checks if the user or assumed roles are allowed to insert a row to test_customer,
|
|
|
|
where only global-admin has that permission.
|
2024-03-11 12:30:43 +01:00
|
|
|
*/
|
|
|
|
create or replace function test_customer_insert_permission_missing_tf()
|
|
|
|
returns trigger
|
|
|
|
language plpgsql as $$
|
|
|
|
begin
|
|
|
|
raise exception '[403] insert into test_customer not allowed for current subjects % (%)',
|
|
|
|
currentSubjects(), currentSubjectsUuids();
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
create trigger test_customer_insert_permission_check_tg
|
|
|
|
before insert on test_customer
|
|
|
|
for each row
|
|
|
|
when ( not isGlobalAdmin() )
|
|
|
|
execute procedure test_customer_insert_permission_missing_tf();
|
|
|
|
--//
|
2024-03-26 11:25:18 +01:00
|
|
|
|
2022-07-29 11:39:32 +02:00
|
|
|
-- ============================================================================
|
2022-08-31 09:42:40 +02:00
|
|
|
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
2022-07-29 11:39:32 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
2022-07-29 08:46:04 +02:00
|
|
|
|
2024-03-26 11:25:18 +01:00
|
|
|
call generateRbacIdentityViewFromProjection('test_customer',
|
|
|
|
$idName$
|
|
|
|
prefix
|
2024-03-11 12:30:43 +01:00
|
|
|
$idName$);
|
|
|
|
--//
|
2024-03-26 11:25:18 +01:00
|
|
|
|
2022-07-29 11:39:32 +02:00
|
|
|
-- ============================================================================
|
2022-08-31 09:42:40 +02:00
|
|
|
--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
2022-07-29 11:39:32 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
2024-03-11 12:30:43 +01:00
|
|
|
call generateRbacRestrictedView('test_customer',
|
2024-03-26 11:25:18 +01:00
|
|
|
$orderBy$
|
|
|
|
reference
|
|
|
|
$orderBy$,
|
2022-09-19 20:43:14 +02:00
|
|
|
$updates$
|
|
|
|
reference = new.reference,
|
|
|
|
prefix = new.prefix,
|
|
|
|
adminUserName = new.adminUserName
|
|
|
|
$updates$);
|
2022-07-29 11:39:32 +02:00
|
|
|
--//
|
2022-08-02 11:51:36 +02:00
|
|
|
|