hs.hsadmin.ng/src/main/resources/db/changelog/123-test-package-rbac.sql

--liquibase formatted sql

-- ============================================================================
--changeset test-package-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('test_package');
--//


-- ============================================================================
--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('testPackage', 'test_package');
--//


-- ============================================================================
--changeset test-package-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER.
 */
create or replace function createRbacRolesForTestPackage()
    returns trigger
    language plpgsql
    strict as $$
declare
    parentCustomer       test_customer;
    packageOwnerRoleUuid uuid;
    packageAdminRoleUuid uuid;
begin
    if TG_OP <> 'INSERT' then
        raise exception 'invalid usage of TRIGGER AFTER INSERT';
    end if;

    select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer;

    -- an owner role is created and assigned to the customer's admin role
    perform createRoleWithGrants(
            testPackageOwner(NEW),
            permissions => array ['*'],
            incomingSuperRoles => array[testCustomerAdmin(parentCustomer)]
        );

    -- an owner role is created and assigned to the package owner role
    perform createRoleWithGrants(
            testPackageAdmin(NEW),
            permissions => array ['add-domain'],
            incomingSuperRoles => array[testPackageOwner(NEW)]
        );

    -- and a package tenant role is created and assigned to the package admin as well
    perform createRoleWithGrants(
            testPackageTenant(NEW),
            permissions => array['view'],
            incomingsuperroles => array[testPackageAdmin(NEW)],
            outgoingSubRoles => array[testCustomerTenant(parentCustomer)]
        );

    return NEW;
end; $$;

/*
    An AFTER INSERT TRIGGER which creates the role structure for a new package.
 */

create trigger createRbacRolesForTestPackage_Trigger
    after insert
    on test_package
    for each row
execute procedure createRbacRolesForTestPackage();
--//


-- ============================================================================
--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityView('test_package', 'target.name');
--//


-- ============================================================================
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates a view to the customer main table which maps the identifying name
    (in this case, the prefix) to the objectUuid.
 */
-- drop view if exists test_package_rv;
-- create or replace view test_package_rv as
-- select target.*
--     from test_package as target
--     where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
--     order by target.name;
-- grant all privileges on test_package_rv to restricted;

call generateRbacRestrictedView('test_package', 'target.name',
    $updates$
        version = new.version,
        customerUuid = new.customerUuid,
        name = new.name,
        description = new.description
    $updates$);

--//
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--liquibase formatted sql`

			`-- ============================================================================`
introduce 058-rbac-generators.sql with generateRelatedRbacObject+generateRbacRoleDescriptors 2022-09-16 15:25:58 +02:00			`--changeset test-package-rbac-OBJECT:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`
introduce 058-rbac-generators.sql with generateRelatedRbacObject+generateRbacRoleDescriptors 2022-09-16 15:25:58 +02:00			`call generateRelatedRbacObject('test_package');`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`
removing JHipster 2022-07-22 13:31:37 +02:00

hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`
introduce 058-rbac-generators.sql with generateRelatedRbacObject+generateRbacRoleDescriptors 2022-09-16 15:25:58 +02:00			`call generateRbacRoleDescriptors('testPackage', 'test_package');`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00

hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-package-rbac-ROLES-CREATION:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`
			`/*`
			`Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER.`
			`*/`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create or replace function createRbacRolesForTestPackage()`
formatted SQL code 2022-07-29 08:46:04 +02:00			`returns trigger`
			`language plpgsql`
			`strict as $$`
			`declare`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`parentCustomer test_customer;`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`packageOwnerRoleUuid uuid;`
			`packageAdminRoleUuid uuid;`
formatted SQL code 2022-07-29 08:46:04 +02:00			`begin`
			`if TG_OP <> 'INSERT' then`
			`raise exception 'invalid usage of TRIGGER AFTER INSERT';`
			`end if;`
removing JHipster 2022-07-22 13:31:37 +02:00
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer;`
removing JHipster 2022-07-22 13:31:37 +02:00
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`-- an owner role is created and assigned to the customer's admin role`
introduces agent+guest role for role-system around debitor+partner 2022-10-12 15:48:56 +02:00			`perform createRoleWithGrants(`
			`testPackageOwner(NEW),`
			`permissions => array ['*'],`
			`incomingSuperRoles => array[testCustomerAdmin(parentCustomer)]`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`);`

			`-- an owner role is created and assigned to the package owner role`
introduces agent+guest role for role-system around debitor+partner 2022-10-12 15:48:56 +02:00			`perform createRoleWithGrants(`
			`testPackageAdmin(NEW),`
			`permissions => array ['add-domain'],`
			`incomingSuperRoles => array[testPackageOwner(NEW)]`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`);`

			`-- and a package tenant role is created and assigned to the package admin as well`
introduces agent+guest role for role-system around debitor+partner 2022-10-12 15:48:56 +02:00			`perform createRoleWithGrants(`
			`testPackageTenant(NEW),`
			`permissions => array['view'],`
			`incomingsuperroles => array[testPackageAdmin(NEW)],`
			`outgoingSubRoles => array[testCustomerTenant(parentCustomer)]`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`);`
removing JHipster 2022-07-22 13:31:37 +02:00
formatted SQL code 2022-07-29 08:46:04 +02:00			`return NEW;`
			`end; $$;`
removing JHipster 2022-07-22 13:31:37 +02:00
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`/*`
			`An AFTER INSERT TRIGGER which creates the role structure for a new package.`
			`*/`

use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create trigger createRbacRolesForTestPackage_Trigger`
formatted SQL code 2022-07-29 08:46:04 +02:00			`after insert`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`on test_package`
formatted SQL code 2022-07-29 08:46:04 +02:00			`for each row`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`execute procedure createRbacRolesForTestPackage();`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`


			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00			`-- ----------------------------------------------------------------------------`
introduces generateRbacRestrictedView to generate restricted view + triggers 2022-09-19 20:43:14 +02:00			`call generateRbacIdentityView('test_package', 'target.name');`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00			`--//`


			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`

			`/*`
			`Creates a view to the customer main table which maps the identifying name`
			`(in this case, the prefix) to the objectUuid.`
			`*/`
introduces generateRbacRestrictedView to generate restricted view + triggers 2022-09-19 20:43:14 +02:00			`-- drop view if exists test_package_rv;`
			`-- create or replace view test_package_rv as`
			`-- select target.*`
			`-- from test_package as target`
			`-- where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))`
			`-- order by target.name;`
			`-- grant all privileges on test_package_rv to restricted;`

			`call generateRbacRestrictedView('test_package', 'target.name',`
			$updates$
			`version = new.version,`
			`customerUuid = new.customerUuid,`
			`name = new.name,`
			`description = new.description`
			`$updates$);`

hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`
introduces generateRbacRestrictedView to generate restricted view + triggers 2022-09-19 20:43:14 +02:00