hs.hsadmin.ng/sql/25-hs-emailaddress.sql

132 lines
4.2 KiB
MySQL
Raw Normal View History

2022-07-22 13:31:37 +02:00
-- ========================================================
-- EMailAddress example with RBAC
-- --------------------------------------------------------
2022-07-29 08:46:04 +02:00
set session session authorization default;
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
create table if not exists EMailAddress
(
uuid uuid unique references RbacObject (uuid),
localPart character varying(64),
domainUuid uuid references domain (uuid)
2022-07-22 13:31:37 +02:00
);
2022-07-29 08:46:04 +02:00
drop trigger if exists createRbacObjectForEMailAddress_Trigger on EMailAddress;
create trigger createRbacObjectForEMailAddress_Trigger
before insert
on EMailAddress
for each row
execute procedure createRbacObject();
create or replace function emailAddressOwner(emAddr EMailAddress)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('emailaddress', emAddr.uuid, 'owner');
end; $$;
2022-07-29 08:46:04 +02:00
create or replace function emailAddressAdmin(emAddr EMailAddress)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('emailaddress', emAddr.uuid, 'admin');
end; $$;
2022-07-29 08:46:04 +02:00
create or replace function createRbacRulesForEMailAddress()
returns trigger
language plpgsql
strict as $$
declare
parentDomain Domain;
eMailAddressOwnerRoleUuid uuid;
2022-07-29 08:46:04 +02:00
begin
if TG_OP <> 'INSERT' then
raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if;
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
select d.*
from domain d
left join unixuser u on u.uuid = d.unixuseruuid
where d.uuid = NEW.domainUuid
into parentDomain;
2022-07-22 13:31:37 +02:00
-- an owner role is created and assigned to the domains's admin group
eMailAddressOwnerRoleUuid = createRole(
emailAddressOwner(NEW),
2022-07-29 08:46:04 +02:00
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(domainAdmin(parentDomain))
);
-- and an admin role is created and assigned to the unixuser owner as well
perform createRole(
emailAddressAdmin(NEW),
2022-07-29 08:46:04 +02:00
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
beneathRole(eMailAddressOwnerRoleUuid),
beingItselfA(domainTenant(parentDomain))
);
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
return NEW;
end; $$;
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
drop trigger if exists createRbacRulesForEMailAddress_Trigger on EMailAddress;
create trigger createRbacRulesForEMailAddress_Trigger
after insert
on EMailAddress
for each row
execute procedure createRbacRulesForEMailAddress();
2022-07-22 13:31:37 +02:00
-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForEMailAddress()
2022-07-27 12:32:54 +02:00
-- create RBAC-restricted view
2022-07-29 08:46:04 +02:00
set session session authorization default;
-- ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY;
2022-07-29 08:46:04 +02:00
drop view if exists EMailAddress_rv;
create or replace view EMailAddress_rv as
select target.*
2022-07-29 08:46:04 +02:00
from EMailAddress as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'emailaddress', currentSubjectIds()));
grant all privileges on EMailAddress_rv to restricted;
2022-07-22 13:31:37 +02:00
-- generate EMailAddress test data
2022-07-29 08:46:04 +02:00
do language plpgsql $$
declare
dom record;
pacAdmin varchar;
2022-07-22 13:31:37 +02:00
currentTask varchar;
2022-07-29 08:46:04 +02:00
begin
set hsadminng.currentUser to '';
for dom in (select d.uuid, d.name, p.name as packageName
from domain d
join unixuser u on u.uuid = d.unixuseruuid
join package p on u.packageuuid = p.uuid
join customer c on p.customeruuid = c.uuid
-- WHERE c.reference >= 18000
)
loop
for t in 0..4
loop
currentTask = 'creating RBAC test EMailAddress #' || t || ' for Domain ' || dom.name;
raise notice 'task: %', currentTask;
pacAdmin = 'admin@' || dom.packageName || '.example.com';
set local hsadminng.currentUser to pacAdmin;
set local hsadminng.assumedRoles = '';
set local hsadminng.currentTask to currentTask;
insert
into EMailAddress (localPart, domainUuid)
values ('local' || t, dom.uuid);
commit;
end loop;
end loop;
end;
2022-07-22 13:31:37 +02:00
$$;