hs.hsadmin.ng/src/main/resources/db/changelog/113-test-customer-rbac.sql

--liquibase formatted sql

-- ============================================================================
--changeset test-customer-rbac-CREATE-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates the related RbacObject through a BEFORE INSERT TRIGGER.
 */
drop trigger if exists createRbacObjectForCustomer_Trigger on test_customer;
create trigger createRbacObjectForCustomer_Trigger
    before insert
    on test_customer
    for each row
execute procedure createRbacObject();
--//

-- ============================================================================
--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

create or replace function testCustomerOwner(customer test_customer)
    returns RbacRoleDescriptor
    language plpgsql
    strict as $$
begin
    return roleDescriptor('test_customer', customer.uuid, 'owner');
end; $$;

create or replace function testCustomerAdmin(customer test_customer)
    returns RbacRoleDescriptor
    language plpgsql
    strict as $$
begin
    return roleDescriptor('test_customer', customer.uuid, 'admin');
end; $$;

create or replace function testCustomerTenant(customer test_customer)
    returns RbacRoleDescriptor
    language plpgsql
    strict as $$
begin
    return roleDescriptor('test_customer', customer.uuid, 'tenant');
end; $$;
--//


-- ============================================================================
--changeset test-customer-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates the roles and their assignments for a new customer for the AFTER INSERT TRIGGER.
 */

create or replace function createRbacRolesForTestCustomer()
    returns trigger
    language plpgsql
    strict as $$
declare
    testCustomerOwnerUuid uuid;
    customerAdminUuid uuid;
begin
    if TG_OP <> 'INSERT' then
        raise exception 'invalid usage of TRIGGER AFTER INSERT';
    end if;

    -- the owner role with full access for Hostsharing administrators
    testCustomerOwnerUuid = createRole(
        testCustomerOwner(NEW),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
        beneathRole(testGlobalAdmin())
        );

    -- the admin role for the customer's admins, who can view and add products
    customerAdminUuid = createRole(
        testCustomerAdmin(NEW),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']),
        -- NO auto assume for customer owner to avoid exploding permissions for administrators
        withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null
        grantedByRole(testGlobalAdmin())
        );

    -- allow the customer owner role (thus administrators) to assume the customer admin role
    call grantRoleToRole(customerAdminUuid, testCustomerOwnerUuid, false);

    -- the tenant role which later can be used by owners+admins of sub-objects
    perform createRole(
        testCustomerTenant(NEW),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view'])
        );

    return NEW;
end; $$;

/*
    An AFTER INSERT TRIGGER which creates the role structure for a new customer.
 */

drop trigger if exists createRbacRolesForTestCustomer_Trigger on test_customer;
create trigger createRbacRolesForTestCustomer_Trigger
    after insert
    on test_customer
    for each row
execute procedure createRbacRolesForTestCustomer();
--//


-- ============================================================================
--changeset test-customer-rbac-ROLES-REMOVAL:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Deletes the roles and their assignments of a deleted customer for the BEFORE DELETE TRIGGER.
 */

create or replace function deleteRbacRulesForTestCustomer()
    returns trigger
    language plpgsql
    strict as $$
begin
    if TG_OP = 'DELETE' then
        call deleteRole(findRoleId(testCustomerOwner(OLD)));
        call deleteRole(findRoleId(testCustomerAdmin(OLD)));
        call deleteRole(findRoleId(testCustomerTenant(OLD)));
    else
        raise exception 'invalid usage of TRIGGER BEFORE DELETE';
    end if;
end; $$;

/*
    An BEFORE DELETE TRIGGER which deletes the role structure of a customer.
 */

drop trigger if exists deleteRbacRulesForTestCustomer_Trigger on test_customer;
create trigger deleteRbacRulesForTestCustomer_Trigger
    before delete
    on test_customer
    for each row
execute procedure deleteRbacRulesForTestCustomer();
--//

-- ============================================================================
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates a view to the customer main table which maps the identifying name
    (in this case, the prefix) to the objectUuid.
 */
drop view if exists test_customer_iv;
create or replace view test_customer_iv as
select target.uuid, target.prefix as idName
    from test_customer as target;
-- TODO: Is it ok that everybody has access to this information?
grant all privileges on test_customer_iv to restricted;

/*
    Returns the objectUuid for a given identifying name (in this case the prefix).
 */
create or replace function test_customerUuidByIdName(idName varchar)
    returns uuid
    language sql
    strict as $$
select uuid from test_customer_iv iv where iv.idName = test_customerUuidByIdName.idName;
$$;

/*
    Returns the identifying name for a given objectUuid (in this case the prefix).
 */
create or replace function test_customerIdNameByUuid(uuid uuid)
    returns varchar
    language sql
    strict as $$
select idName from test_customer_iv iv where iv.uuid = test_customerIdNameByUuid.uuid;
$$;
--//


-- ============================================================================
--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Creates a view to the customer main table with row-level limitation
    based on the 'view' permission of the current user or assumed roles.
 */
set session session authorization default;
drop view if exists test_customer_rv;
create or replace view test_customer_rv as
select target.*
    from test_customer as target
    where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_customer', currentSubjectsUuids()));
grant all privileges on test_customer_rv to restricted;
--//


-- ============================================================================
--changeset test-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Creates a global permission for add-customer and assigns it to the hostsharing admins role.
 */
do language plpgsql $$
    declare
        addCustomerPermissions  uuid[];
        globalObjectUuid        uuid;
        globalAdminRoleUuid         uuid ;
    begin
        call defineContext('granting global add-customer permission to global admin role', null, null, null);

        globalAdminRoleUuid := findRoleId(testGlobalAdmin());
        globalObjectUuid := (select uuid from global);
        addCustomerPermissions := createPermissions(globalObjectUuid, array ['add-customer']);
        call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);
    end;
$$;

/**
    Used by the trigger to prevent the add-customer to current user respectively assumed roles.
 */
create or replace function addTestCustomerNotAllowedForCurrentSubjects()
    returns trigger
    language PLPGSQL
as $$
begin
    raise exception '[403] add-customer not permitted for %',
        array_to_string(currentSubjects(), ';', 'null');
end; $$;

/**
    Checks if the user or assumed roles are allowed to add a new customer.
 */
create trigger test_customer_insert_trigger
    before insert
    on test_customer
    for each row
    when ( currentUser() <> 'mike@example.org' or not hasGlobalPermission('add-customer') )
execute procedure addTestCustomerNotAllowedForCurrentSubjects();
--//
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`--liquibase formatted sql`
formatted SQL code 2022-07-29 08:46:04 +02:00
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-customer-rbac-CREATE-OBJECT:1 endDelimiter:--//`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`-- ----------------------------------------------------------------------------`
formatted SQL code 2022-07-29 08:46:04 +02:00
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`/*`
			`Creates the related RbacObject through a BEFORE INSERT TRIGGER.`
			`*/`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`drop trigger if exists createRbacObjectForCustomer_Trigger on test_customer;`
formatted SQL code 2022-07-29 08:46:04 +02:00			`create trigger createRbacObjectForCustomer_Trigger`
			`before insert`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`on test_customer`
formatted SQL code 2022-07-29 08:46:04 +02:00			`for each row`
			`execute procedure createRbacObject();`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`--//`

			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`-- ----------------------------------------------------------------------------`
formatted SQL code 2022-07-29 08:46:04 +02:00
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create or replace function testCustomerOwner(customer test_customer)`
formatted SQL code 2022-07-29 08:46:04 +02:00			`returns RbacRoleDescriptor`
			`language plpgsql`
			`strict as $$`
			`begin`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`return roleDescriptor('test_customer', customer.uuid, 'owner');`
formatted SQL code 2022-07-29 08:46:04 +02:00			`end; $$;`

use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create or replace function testCustomerAdmin(customer test_customer)`
formatted SQL code 2022-07-29 08:46:04 +02:00			`returns RbacRoleDescriptor`
			`language plpgsql`
			`strict as $$`
			`begin`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`return roleDescriptor('test_customer', customer.uuid, 'admin');`
formatted SQL code 2022-07-29 08:46:04 +02:00			`end; $$;`

use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create or replace function testCustomerTenant(customer test_customer)`
formatted SQL code 2022-07-29 08:46:04 +02:00			`returns RbacRoleDescriptor`
			`language plpgsql`
			`strict as $$`
			`begin`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`return roleDescriptor('test_customer', customer.uuid, 'tenant');`
formatted SQL code 2022-07-29 08:46:04 +02:00			`end; $$;`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`--//`


			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-customer-rbac-ROLES-CREATION:1 endDelimiter:--//`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`-- ----------------------------------------------------------------------------`
formatted SQL code 2022-07-29 08:46:04 +02:00
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`/*`
			`Creates the roles and their assignments for a new customer for the AFTER INSERT TRIGGER.`
			`*/`
formatted SQL code 2022-07-29 08:46:04 +02:00
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create or replace function createRbacRolesForTestCustomer()`
formatted SQL code 2022-07-29 08:46:04 +02:00			`returns trigger`
			`language plpgsql`
			`strict as $$`
			`declare`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`testCustomerOwnerUuid uuid;`
formatted SQL code 2022-07-29 08:46:04 +02:00			`customerAdminUuid uuid;`
			`begin`
			`if TG_OP <> 'INSERT' then`
			`raise exception 'invalid usage of TRIGGER AFTER INSERT';`
			`end if;`

			`-- the owner role with full access for Hostsharing administrators`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`testCustomerOwnerUuid = createRole(`
			`testCustomerOwner(NEW),`
formatted SQL code 2022-07-29 08:46:04 +02:00			`grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`beneathRole(testGlobalAdmin())`
formatted SQL code 2022-07-29 08:46:04 +02:00			`);`

			`-- the admin role for the customer's admins, who can view and add products`
			`customerAdminUuid = createRole(`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`testCustomerAdmin(NEW),`
formatted SQL code 2022-07-29 08:46:04 +02:00			`grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']),`
creating and viewing grants 2022-08-13 16:47:36 +02:00			`-- NO auto assume for customer owner to avoid exploding permissions for administrators`
implements user granting roles to other users 2022-08-16 10:46:41 +02:00			`withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`grantedByRole(testGlobalAdmin())`
formatted SQL code 2022-07-29 08:46:04 +02:00			`);`

			`-- allow the customer owner role (thus administrators) to assume the customer admin role`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`call grantRoleToRole(customerAdminUuid, testCustomerOwnerUuid, false);`
formatted SQL code 2022-07-29 08:46:04 +02:00
			`-- the tenant role which later can be used by owners+admins of sub-objects`
			`perform createRole(`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`testCustomerTenant(NEW),`
formatted SQL code 2022-07-29 08:46:04 +02:00			`grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view'])`
			`);`

			`return NEW;`
			`end; $$;`

hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`/*`
			`An AFTER INSERT TRIGGER which creates the role structure for a new customer.`
			`*/`

use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`drop trigger if exists createRbacRolesForTestCustomer_Trigger on test_customer;`
			`create trigger createRbacRolesForTestCustomer_Trigger`
formatted SQL code 2022-07-29 08:46:04 +02:00			`after insert`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`on test_customer`
formatted SQL code 2022-07-29 08:46:04 +02:00			`for each row`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`execute procedure createRbacRolesForTestCustomer();`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`--//`

hs-customer SQL-Scripts in Liquibase 2022-07-29 12:14:22 +02:00
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-customer-rbac-ROLES-REMOVAL:1 endDelimiter:--//`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`-- ----------------------------------------------------------------------------`

			`/*`
			`Deletes the roles and their assignments of a deleted customer for the BEFORE DELETE TRIGGER.`
			`*/`
formatted SQL code 2022-07-29 08:46:04 +02:00
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create or replace function deleteRbacRulesForTestCustomer()`
formatted SQL code 2022-07-29 08:46:04 +02:00			`returns trigger`
			`language plpgsql`
			`strict as $$`
			`begin`
			`if TG_OP = 'DELETE' then`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`call deleteRole(findRoleId(testCustomerOwner(OLD)));`
			`call deleteRole(findRoleId(testCustomerAdmin(OLD)));`
			`call deleteRole(findRoleId(testCustomerTenant(OLD)));`
formatted SQL code 2022-07-29 08:46:04 +02:00			`else`
			`raise exception 'invalid usage of TRIGGER BEFORE DELETE';`
			`end if;`
			`end; $$;`

hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`/*`
			`An BEFORE DELETE TRIGGER which deletes the role structure of a customer.`
			`*/`

use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`drop trigger if exists deleteRbacRulesForTestCustomer_Trigger on test_customer;`
			`create trigger deleteRbacRulesForTestCustomer_Trigger`
formatted SQL code 2022-07-29 08:46:04 +02:00			`before delete`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`on test_customer`
formatted SQL code 2022-07-29 08:46:04 +02:00			`for each row`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`execute procedure deleteRbacRulesForTestCustomer();`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`--//`
formatted SQL code 2022-07-29 08:46:04 +02:00
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`-- ----------------------------------------------------------------------------`

			`/*`
			`Creates a view to the customer main table which maps the identifying name`
			`(in this case, the prefix) to the objectUuid.`
			`*/`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`drop view if exists test_customer_iv;`
			`create or replace view test_customer_iv as`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00			`select target.uuid, target.prefix as idName`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`from test_customer as target;`
formatted SQL code 2022-07-29 08:46:04 +02:00			`-- TODO: Is it ok that everybody has access to this information?`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`grant all privileges on test_customer_iv to restricted;`
formatted SQL code 2022-07-29 08:46:04 +02:00
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`/*`
			`Returns the objectUuid for a given identifying name (in this case the prefix).`
			`*/`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create or replace function test_customerUuidByIdName(idName varchar)`
formatted SQL code 2022-07-29 08:46:04 +02:00			`returns uuid`
			`language sql`
			`strict as $$`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`select uuid from test_customer_iv iv where iv.idName = test_customerUuidByIdName.idName;`
formatted SQL code 2022-07-29 08:46:04 +02:00			`$$;`
add RbacRole... 2022-08-03 06:12:16 +02:00
			`/*`
			`Returns the identifying name for a given objectUuid (in this case the prefix).`
			`*/`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create or replace function test_customerIdNameByUuid(uuid uuid)`
add RbacRole... 2022-08-03 06:12:16 +02:00			`returns varchar`
			`language sql`
			`strict as $$`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`select idName from test_customer_iv iv where iv.uuid = test_customerIdNameByUuid.uuid;`
add RbacRole... 2022-08-03 06:12:16 +02:00			`$$;`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`--//`
formatted SQL code 2022-07-29 08:46:04 +02:00
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00
			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`-- ----------------------------------------------------------------------------`
			`/*`
add RbacRole... 2022-08-03 06:12:16 +02:00			`Creates a view to the customer main table with row-level limitation`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`based on the 'view' permission of the current user or assumed roles.`
			`*/`
formatted SQL code 2022-07-29 08:46:04 +02:00			`set session session authorization default;`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`drop view if exists test_customer_rv;`
			`create or replace view test_customer_rv as`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00			`select target.*`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`from test_customer as target`
			`where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_customer', currentSubjectsUuids()));`
			`grant all privileges on test_customer_rv to restricted;`
hs-customer SQL-Scripts in Liquibase 2022-07-29 11:39:32 +02:00			`--//`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00

			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--//`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00			`-- ----------------------------------------------------------------------------`
			`/*`
			`Creates a global permission for add-customer and assigns it to the hostsharing admins role.`
			`*/`
			`do language plpgsql $$`
			`declare`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`addCustomerPermissions uuid[];`
			`globalObjectUuid uuid;`
			`globalAdminRoleUuid uuid ;`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00			`begin`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`call defineContext('granting global add-customer permission to global admin role', null, null, null);`
introduce currentTask and ContextBasedTest 2022-08-24 11:32:51 +02:00
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`globalAdminRoleUuid := findRoleId(testGlobalAdmin());`
			`globalObjectUuid := (select uuid from global);`
			`addCustomerPermissions := createPermissions(globalObjectUuid, array ['add-customer']);`
			`call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00			`end;`
			`$$;`

			`/**`
			`Used by the trigger to prevent the add-customer to current user respectively assumed roles.`
			`*/`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create or replace function addTestCustomerNotAllowedForCurrentSubjects()`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00			`returns trigger`
			`language PLPGSQL`
			`as $$`
			`begin`
introduce defineContext replacing explicit "set local current..." 2022-08-30 09:35:59 +02:00			`raise exception '[403] add-customer not permitted for %',`
			`array_to_string(currentSubjects(), ';', 'null');`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00			`end; $$;`

			`/**`
			`Checks if the user or assumed roles are allowed to add a new customer.`
			`*/`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create trigger test_customer_insert_trigger`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00			`before insert`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`on test_customer`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00			`for each row`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`when ( currentUser() <> 'mike@example.org' or not hasGlobalPermission('add-customer') )`
			`execute procedure addTestCustomerNotAllowedForCurrentSubjects();`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00			`--//`