hs.hsadmin.ng/sql/24-hs-domain.sql

152 lines
4.9 KiB
MySQL
Raw Normal View History

2022-07-22 13:31:37 +02:00
-- ========================================================
-- Domain example with RBAC
-- --------------------------------------------------------
2022-07-29 08:46:04 +02:00
set session session authorization default;
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
create table if not exists Domain
(
uuid uuid unique references RbacObject (uuid),
name character varying(32),
unixUserUuid uuid references unixuser (uuid)
2022-07-22 13:31:37 +02:00
);
2022-07-29 08:46:04 +02:00
drop trigger if exists createRbacObjectForDomain_Trigger on Domain;
create trigger createRbacObjectForDomain_Trigger
before insert
on Domain
for each row
execute procedure createRbacObject();
create or replace function domainOwner(dom Domain)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('domain', dom.uuid, 'owner');
end; $$;
2022-07-29 08:46:04 +02:00
create or replace function domainAdmin(dom Domain)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('domain', dom.uuid, 'admin');
end; $$;
2022-07-29 08:46:04 +02:00
create or replace function domainTenant(dom Domain)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('domain', dom.uuid, 'tenant');
end; $$;
2022-07-29 08:46:04 +02:00
create or replace function createRbacRulesForDomain()
returns trigger
language plpgsql
strict as $$
declare
parentUser UnixUser;
parentPackage package;
domainOwnerRoleUuid uuid;
domainAdminRoleUuid uuid;
2022-07-29 08:46:04 +02:00
begin
if TG_OP <> 'INSERT' then
raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if;
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
select * from UnixUser where uuid = NEW.unixUserUuid into parentUser;
select * from Package where uuid = parentUser.packageuuid into parentPackage;
2022-07-22 13:31:37 +02:00
-- a domain owner role is created and assigned to the unixuser's admin role
domainOwnerRoleUuid = createRole(
domainOwner(NEW),
2022-07-29 08:46:04 +02:00
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(testPackageAdmin(parentPackage))
);
-- a domain admin role is created and assigned to the domain's owner role
domainAdminRoleUuid = createRole(
domainAdmin(NEW),
2022-07-29 08:46:04 +02:00
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit', 'add-emailaddress']),
beneathRole(domainOwnerRoleUuid)
);
-- and a domain tenant role is created and assigned to the domain's admiin role
perform createRole(
domainTenant(NEW),
2022-07-29 08:46:04 +02:00
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(domainAdminRoleUuid),
beingItselfA(createUnixUserTenantRoleIfNotExists(parentUser))
);
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
return NEW;
end; $$;
2022-07-22 13:31:37 +02:00
2022-07-29 08:46:04 +02:00
drop trigger if exists createRbacRulesForDomain_Trigger on Domain;
create trigger createRbacRulesForDomain_Trigger
after insert
on Domain
for each row
execute procedure createRbacRulesForDomain();
2022-07-22 13:31:37 +02:00
-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForDomain()
2022-07-27 12:32:54 +02:00
-- create RBAC-restricted view
2022-07-29 08:46:04 +02:00
set session session authorization default;
-- ALTER TABLE Domain ENABLE ROW LEVEL SECURITY;
2022-07-29 08:46:04 +02:00
drop view if exists domain_rv;
create or replace view domain_rv as
select target.*
2022-07-29 08:46:04 +02:00
from Domain as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids()));
2022-07-29 08:46:04 +02:00
grant all privileges on domain_rv to restricted;
2022-07-27 12:32:54 +02:00
2022-07-22 13:31:37 +02:00
-- generate Domain test data
2022-07-29 08:46:04 +02:00
do language plpgsql $$
declare
uu record;
pac package;
pacAdmin varchar;
2022-07-22 13:31:37 +02:00
currentTask varchar;
2022-07-29 08:46:04 +02:00
begin
set hsadminng.currentUser to '';
for uu in (select u.uuid, u.name, u.packageuuid, c.reference
from unixuser u
join package p on u.packageuuid = p.uuid
join customer c on p.customeruuid = c.uuid
-- WHERE c.reference >= 18000
)
loop
if (random() < 0.3) then
for t in 0..1
loop
currentTask = 'creating RBAC test Domain #' || t || ' for UnixUser ' || uu.name || ' #' || uu.uuid;
raise notice 'task: %', currentTask;
select * from package where uuid = uu.packageUuid into pac;
pacAdmin = 'admin@' || pac.name || '.example.com';
execute format('set local hsadminng.currentTask to %L', currentTask);
execute format('set local hsadminng.currentUser to %L', pacAdmin);
2022-07-29 08:46:04 +02:00
set local hsadminng.assumedRoles = '';
insert
into Domain (name, unixUserUuid)
values ('dom-' || t || '.' || uu.name || '.example.org', uu.uuid);
commit;
end loop;
end if;
end loop;
end;
2022-07-22 13:31:37 +02:00
$$;