2022-08-14 16:44:26 +02:00
|
|
|
--liquibase formatted sql
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
2022-08-31 09:42:40 +02:00
|
|
|
--changeset test-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
|
2022-08-14 16:44:26 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
/*
|
|
|
|
|
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
|
|
|
|
|
*/
|
2022-08-31 09:42:40 +02:00
|
|
|
drop trigger if exists createRbacObjectFortest_unixuser_Trigger on test_unixuser;
|
|
|
|
|
create trigger createRbacObjectFortest_unixuser_Trigger
|
2022-08-14 16:44:26 +02:00
|
|
|
before insert
|
2022-08-31 09:42:40 +02:00
|
|
|
on test_unixuser
|
2022-08-14 16:44:26 +02:00
|
|
|
for each row
|
|
|
|
|
execute procedure createRbacObject();
|
|
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
2022-08-31 09:42:40 +02:00
|
|
|
--changeset test-unixuser-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
2022-08-14 16:44:26 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
|
2022-08-31 09:42:40 +02:00
|
|
|
create or replace function testUnixUserOwner(uu test_unixuser)
|
2022-08-14 16:44:26 +02:00
|
|
|
returns RbacRoleDescriptor
|
|
|
|
|
returns null on null input
|
|
|
|
|
language plpgsql as $$
|
|
|
|
|
begin
|
2022-08-31 09:42:40 +02:00
|
|
|
return roleDescriptor('test_unixuser', uu.uuid, 'owner');
|
2022-08-14 16:44:26 +02:00
|
|
|
end; $$;
|
|
|
|
|
|
2022-08-31 09:42:40 +02:00
|
|
|
create or replace function testUnixUserAdmin(uu test_unixuser)
|
2022-08-14 16:44:26 +02:00
|
|
|
returns RbacRoleDescriptor
|
|
|
|
|
returns null on null input
|
|
|
|
|
language plpgsql as $$
|
|
|
|
|
begin
|
2022-08-31 09:42:40 +02:00
|
|
|
return roleDescriptor('test_unixuser', uu.uuid, 'admin');
|
2022-08-14 16:44:26 +02:00
|
|
|
end; $$;
|
|
|
|
|
|
2022-08-31 09:42:40 +02:00
|
|
|
create or replace function testUnixUserTenant(uu test_unixuser)
|
2022-08-14 16:44:26 +02:00
|
|
|
returns RbacRoleDescriptor
|
|
|
|
|
returns null on null input
|
|
|
|
|
language plpgsql as $$
|
|
|
|
|
begin
|
2022-08-31 09:42:40 +02:00
|
|
|
return roleDescriptor('test_unixuser', uu.uuid, 'tenant');
|
2022-08-14 16:44:26 +02:00
|
|
|
end; $$;
|
|
|
|
|
|
2022-08-31 09:42:40 +02:00
|
|
|
create or replace function createTestUnixUserTenantRoleIfNotExists(unixUser test_unixuser)
|
2022-08-14 16:44:26 +02:00
|
|
|
returns uuid
|
|
|
|
|
returns null on null input
|
|
|
|
|
language plpgsql as $$
|
|
|
|
|
declare
|
|
|
|
|
unixUserTenantRoleDesc RbacRoleDescriptor;
|
|
|
|
|
unixUserTenantRoleUuid uuid;
|
|
|
|
|
begin
|
2022-08-31 09:42:40 +02:00
|
|
|
unixUserTenantRoleDesc = testUnixUserTenant(unixUser);
|
2022-08-14 16:44:26 +02:00
|
|
|
unixUserTenantRoleUuid = findRoleId(unixUserTenantRoleDesc);
|
|
|
|
|
if unixUserTenantRoleUuid is not null then
|
|
|
|
|
return unixUserTenantRoleUuid;
|
|
|
|
|
end if;
|
|
|
|
|
|
|
|
|
|
return createRole(
|
|
|
|
|
unixUserTenantRoleDesc,
|
|
|
|
|
grantingPermissions(forObjectUuid => unixUser.uuid, permitOps => array ['view']),
|
2022-08-31 09:42:40 +02:00
|
|
|
beneathRole(testUnixUserAdmin(unixUser))
|
2022-08-14 16:44:26 +02:00
|
|
|
);
|
|
|
|
|
end; $$;
|
|
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
2022-08-31 09:42:40 +02:00
|
|
|
--changeset test-unixuser-rbac-ROLES-CREATION:1 endDelimiter:--//
|
2022-08-14 16:44:26 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
/*
|
|
|
|
|
Creates the roles and their assignments for a new UnixUser for the AFTER INSERT TRIGGER.
|
|
|
|
|
*/
|
|
|
|
|
|
2022-08-31 09:42:40 +02:00
|
|
|
create or replace function createRbacRulesForTestUnixUser()
|
2022-08-14 16:44:26 +02:00
|
|
|
returns trigger
|
|
|
|
|
language plpgsql
|
|
|
|
|
strict as $$
|
|
|
|
|
declare
|
2022-08-31 09:42:40 +02:00
|
|
|
parentPackage test_package;
|
2022-08-14 16:44:26 +02:00
|
|
|
unixuserOwnerRoleId uuid;
|
|
|
|
|
unixuserAdminRoleId uuid;
|
|
|
|
|
begin
|
|
|
|
|
if TG_OP <> 'INSERT' then
|
|
|
|
|
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
|
|
|
|
end if;
|
|
|
|
|
|
2022-08-31 09:42:40 +02:00
|
|
|
select * from test_package where uuid = NEW.packageUuid into parentPackage;
|
2022-08-14 16:44:26 +02:00
|
|
|
|
|
|
|
|
-- an owner role is created and assigned to the package's admin group
|
|
|
|
|
unixuserOwnerRoleId = createRole(
|
2022-08-31 09:42:40 +02:00
|
|
|
testUnixUserOwner(NEW),
|
2022-08-14 16:44:26 +02:00
|
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
2022-08-31 09:42:40 +02:00
|
|
|
beneathRole(testPackageAdmin(parentPackage))
|
2022-08-14 16:44:26 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
-- and a unixuser admin role is created and assigned to the unixuser owner as well
|
|
|
|
|
unixuserAdminRoleId = createRole(
|
2022-08-31 09:42:40 +02:00
|
|
|
testUnixUserAdmin(NEW),
|
2022-08-14 16:44:26 +02:00
|
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
|
|
|
|
beneathRole(unixuserOwnerRoleId),
|
2022-08-31 09:42:40 +02:00
|
|
|
beingItselfA(testPackageTenant(parentPackage))
|
2022-08-14 16:44:26 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
-- a tenent role is only created on demand
|
|
|
|
|
|
|
|
|
|
return NEW;
|
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
An AFTER INSERT TRIGGER which creates the role structure for a new UnixUser.
|
|
|
|
|
*/
|
2022-08-31 09:42:40 +02:00
|
|
|
drop trigger if exists createRbacRulesForTestUnixuser_Trigger on test_unixuser;
|
|
|
|
|
create trigger createRbacRulesForTestUnixuser_Trigger
|
2022-08-14 16:44:26 +02:00
|
|
|
after insert
|
2022-08-31 09:42:40 +02:00
|
|
|
on test_unixuser
|
2022-08-14 16:44:26 +02:00
|
|
|
for each row
|
2022-08-31 09:42:40 +02:00
|
|
|
execute procedure createRbacRulesForTestUnixUser();
|
2022-08-14 16:44:26 +02:00
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
2022-08-31 09:42:40 +02:00
|
|
|
--changeset test-unixuser-rbac-ROLES-REMOVAL:1 endDelimiter:--//
|
2022-08-14 16:44:26 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Deletes the roles and their assignments of a deleted UnixUser for the BEFORE DELETE TRIGGER.
|
|
|
|
|
*/
|
|
|
|
|
|
2022-08-31 09:42:40 +02:00
|
|
|
create or replace function deleteRbacRulesForTestUnixUser()
|
2022-08-14 16:44:26 +02:00
|
|
|
returns trigger
|
|
|
|
|
language plpgsql
|
|
|
|
|
strict as $$
|
|
|
|
|
begin
|
|
|
|
|
if TG_OP = 'DELETE' then
|
2022-08-31 09:42:40 +02:00
|
|
|
call deleteRole(findRoleId(testUnixUserOwner(OLD)));
|
|
|
|
|
call deleteRole(findRoleId(testUnixUserAdmin(OLD)));
|
|
|
|
|
call deleteRole(findRoleId(testUnixUserTenant(OLD)));
|
2022-08-14 16:44:26 +02:00
|
|
|
else
|
|
|
|
|
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
|
|
|
|
end if;
|
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
An BEFORE DELETE TRIGGER which deletes the role structure of a UnixUser.
|
|
|
|
|
*/
|
|
|
|
|
|
2022-08-31 09:42:40 +02:00
|
|
|
drop trigger if exists deleteRbacRulesForTestUnixUser_Trigger on test_package;
|
|
|
|
|
create trigger deleteRbacRulesForTestUnixUser_Trigger
|
2022-08-14 16:44:26 +02:00
|
|
|
before delete
|
2022-08-31 09:42:40 +02:00
|
|
|
on test_unixuser
|
2022-08-14 16:44:26 +02:00
|
|
|
for each row
|
2022-08-31 09:42:40 +02:00
|
|
|
execute procedure deleteRbacRulesForTestUnixUser();
|
2022-08-14 16:44:26 +02:00
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
2022-08-31 09:42:40 +02:00
|
|
|
--changeset test-unixuser-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
2022-08-14 16:44:26 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Creates a view to the UnixUser main table which maps the identifying name
|
|
|
|
|
(in this case, actually the column `name`) to the objectUuid.
|
|
|
|
|
*/
|
2022-08-31 09:42:40 +02:00
|
|
|
drop view if exists test_unixuser_iv;
|
|
|
|
|
create or replace view test_unixuser_iv as
|
2022-08-14 16:44:26 +02:00
|
|
|
select distinct target.uuid, target.name as idName
|
2022-08-31 09:42:40 +02:00
|
|
|
from test_unixuser as target;
|
2022-08-14 16:44:26 +02:00
|
|
|
-- TODO: Is it ok that everybody has access to this information?
|
2022-08-31 09:42:40 +02:00
|
|
|
grant all privileges on test_unixuser_iv to restricted;
|
2022-08-14 16:44:26 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
|
|
|
|
|
*/
|
2022-08-31 09:42:40 +02:00
|
|
|
create or replace function test_unixUserUuidByIdName(idName varchar)
|
2022-08-14 16:44:26 +02:00
|
|
|
returns uuid
|
|
|
|
|
language sql
|
|
|
|
|
strict as $$
|
2022-08-31 09:42:40 +02:00
|
|
|
select uuid from test_unixuser_iv iv where iv.idName = test_unixUserUuidByIdName.idName;
|
2022-08-14 16:44:26 +02:00
|
|
|
$$;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Returns the identifying name for a given objectUuid (in this case the name).
|
|
|
|
|
*/
|
2022-08-31 09:42:40 +02:00
|
|
|
create or replace function test_unixUserIdNameByUuid(uuid uuid)
|
2022-08-14 16:44:26 +02:00
|
|
|
returns varchar
|
|
|
|
|
stable leakproof
|
|
|
|
|
language sql
|
|
|
|
|
strict as $$
|
2022-08-31 09:42:40 +02:00
|
|
|
select idName from test_unixuser_iv iv where iv.uuid = test_unixUserIdNameByUuid.uuid;
|
2022-08-14 16:44:26 +02:00
|
|
|
$$;
|
|
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
2022-08-31 09:42:40 +02:00
|
|
|
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
2022-08-14 16:44:26 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Creates a view to the customer main table which maps the identifying name
|
|
|
|
|
(in this case, the prefix) to the objectUuid.
|
|
|
|
|
*/
|
2022-08-31 09:42:40 +02:00
|
|
|
drop view if exists test_unixuser_rv;
|
|
|
|
|
create or replace view test_unixuser_rv as
|
2022-08-14 16:44:26 +02:00
|
|
|
select target.*
|
2022-08-31 09:42:40 +02:00
|
|
|
from test_unixuser as target
|
2022-08-30 09:18:52 +02:00
|
|
|
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'unixuser', currentSubjectsUuids()));
|
2022-08-31 09:42:40 +02:00
|
|
|
grant all privileges on test_unixuser_rv to restricted;
|
2022-08-14 16:44:26 +02:00
|
|
|
--//
|
