hs.hsadmin.ng/src/main/resources/db/changelog/123-test-package-rbac.sql

--liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-09T08:56:16.450322125.

-- ============================================================================
--changeset test-package-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('test_package');
--//


-- ============================================================================
--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('testPackage', 'test_package');
--//


-- ============================================================================
--changeset test-package-rbac-insert-trigger:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates the roles, grants and permission for the AFTER INSERT TRIGGER.
 */

create or replace procedure buildRbacSystemForTestPackage(
    NEW test_package
)
    language plpgsql as $$

declare
    newCustomer test_customer;

begin
    call enterTriggerForObjectUuid(NEW.uuid);
    SELECT * FROM test_customer c
        WHERE c.uuid= NEW.customerUuid
     into newCustomer;

    perform createRoleWithGrants(
        testPackageOwner(NEW),
            permissions => array['DELETE', 'UPDATE'],
            incomingSuperRoles => array[testCustomerAdmin(newCustomer)]
    );

    perform createRoleWithGrants(
        testPackageAdmin(NEW),
            incomingSuperRoles => array[testPackageOwner(NEW)]
    );

    perform createRoleWithGrants(
        testPackageTenant(NEW),
            permissions => array['SELECT'],
            incomingSuperRoles => array[testPackageAdmin(NEW)],
            outgoingSubRoles => array[testCustomerTenant(newCustomer)]
    );

    call leaveTriggerForObjectUuid(NEW.uuid);
end; $$;

/*
    AFTER INSERT TRIGGER to create the role+grant structure for a new test_package row.
 */

create or replace function insertTriggerForTestPackage_tf()
    returns trigger
    language plpgsql
    strict as $$
begin
    call buildRbacSystemForTestPackage(NEW);
    return NEW;
end; $$;

create trigger insertTriggerForTestPackage_tg
    after insert on test_package
    for each row
execute procedure insertTriggerForTestPackage_tf();

--//

-- ============================================================================
--changeset test-package-rbac-update-trigger:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Called from the AFTER UPDATE TRIGGER to re-wire the grants.
 */

create or replace procedure updateRbacRulesForTestPackage(
    OLD test_package,
    NEW test_package
)
    language plpgsql as $$

declare
    oldCustomer test_customer;
    newCustomer test_customer;

begin
    call enterTriggerForObjectUuid(NEW.uuid);

    SELECT * FROM test_customer c
        WHERE c.uuid= OLD.customerUuid
     into oldCustomer;
    SELECT * FROM test_customer c
        WHERE c.uuid= NEW.customerUuid
     into newCustomer;

    if NEW.customerUuid <> OLD.customerUuid then

        call revokePermissionFromRole(findPermissionId(OLD.uuid, 'INSERT'), testCustomerAdmin(oldCustomer));

        call revokeRoleFromRole(testPackageOwner(OLD), testCustomerAdmin(oldCustomer));
        call grantRoleToRole(testPackageOwner(NEW), testCustomerAdmin(newCustomer));

        call revokeRoleFromRole(testCustomerTenant(oldCustomer), testPackageTenant(OLD));
        call grantRoleToRole(testCustomerTenant(newCustomer), testPackageTenant(NEW));

    end if;

    call leaveTriggerForObjectUuid(NEW.uuid);
end; $$;

/*
    AFTER INSERT TRIGGER to re-wire the grant structure for a new test_package row.
 */

create or replace function updateTriggerForTestPackage_tf()
    returns trigger
    language plpgsql
    strict as $$
begin
    call updateRbacRulesForTestPackage(OLD, NEW);
    return NEW;
end; $$;

create trigger updateTriggerForTestPackage_tg
    after update on test_package
    for each row
execute procedure updateTriggerForTestPackage_tf();

--//

-- ============================================================================
--changeset test-package-rbac-INSERT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates INSERT INTO test_package permissions for the related test_customer rows.
 */
do language plpgsql $$
    declare
        row test_customer;
        permissionUuid uuid;
        roleUuid uuid;
    begin
        call defineContext('create INSERT INTO test_package permissions for the related test_customer rows');

        FOR row IN SELECT * FROM test_customer
            LOOP
                roleUuid := findRoleId(testCustomerAdmin(row));
                permissionUuid := createPermission(row.uuid, 'INSERT', 'test_package');
                call grantPermissionToRole(roleUuid, permissionUuid);
            END LOOP;
    END;
$$;

/**
    Adds test_package INSERT permission to specified role of new test_customer rows.
*/
create or replace function test_package_test_customer_insert_tf()
    returns trigger
    language plpgsql
    strict as $$
begin
    call grantPermissionToRole(
            testCustomerAdmin(NEW),
            createPermission(NEW.uuid, 'INSERT', 'test_package'));
    return NEW;
end; $$;

create trigger test_package_test_customer_insert_tg
    after insert on test_customer
    for each row
execute procedure test_package_test_customer_insert_tf();

/**
    Checks if the user or assumed roles are allowed to insert a row to test_package.
*/
create or replace function test_package_insert_permission_missing_tf()
    returns trigger
    language plpgsql as $$
begin
    raise exception '[403] insert into test_package not allowed for current subjects % (%)',
        currentSubjects(), currentSubjectsUuids();
end; $$;

create trigger test_package_insert_permission_check_tg
    before insert on test_package
    for each row
    when ( not hasInsertPermission(NEW.customerUuid, 'INSERT', 'test_package') )
        execute procedure test_package_insert_permission_missing_tf();

--//
-- ============================================================================
--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityView('test_package', $idName$
    name
    $idName$);
--//


-- ============================================================================
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('test_package',
    'name',
    $updates$
        version = new.version,
        customerUuid = new.customerUuid,
        description = new.description
    $updates$);
--//
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--liquibase formatted sql`
add RBAC def for Domain and fix related assertions 2024-03-09 09:12:29 +01:00			`-- This code generated was by RbacViewPostgresGenerator at 2024-03-09T08:56:16.450322125.`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00
			`-- ============================================================================`
introduce 058-rbac-generators.sql with generateRelatedRbacObject+generateRbacRoleDescriptors 2022-09-16 15:25:58 +02:00			`--changeset test-package-rbac-OBJECT:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`
introduce 058-rbac-generators.sql with generateRelatedRbacObject+generateRbacRoleDescriptors 2022-09-16 15:25:58 +02:00			`call generateRelatedRbacObject('test_package');`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`
removing JHipster 2022-07-22 13:31:37 +02:00

hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`
introduce 058-rbac-generators.sql with generateRelatedRbacObject+generateRbacRoleDescriptors 2022-09-16 15:25:58 +02:00			`call generateRbacRoleDescriptors('testPackage', 'test_package');`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00

hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ============================================================================`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`--changeset test-package-rbac-insert-trigger:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`/*`
some minor amendments after self-code-review 2024-03-08 08:53:28 +01:00			`Creates the roles, grants and permission for the AFTER INSERT TRIGGER.`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`*/`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00
			`create or replace procedure buildRbacSystemForTestPackage(`
			`NEW test_package`
			`)`
			`language plpgsql as $$`

formatted SQL code 2022-07-29 08:46:04 +02:00			`declare`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`newCustomer test_customer;`
removing JHipster 2022-07-22 13:31:37 +02:00
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`begin`
add-trigger-object-to-rbacgrant (#18) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/18 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-02-24 09:04:07 +01:00			`call enterTriggerForObjectUuid(NEW.uuid);`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`SELECT * FROM test_customer c`
			`WHERE c.uuid= NEW.customerUuid`
			`into newCustomer;`
add-trigger-object-to-rbacgrant (#18) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/18 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-02-24 09:04:07 +01:00
introduces agent+guest role for role-system around debitor+partner 2022-10-12 15:48:56 +02:00			`perform createRoleWithGrants(`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`testPackageOwner(NEW),`
			`permissions => array['DELETE', 'UPDATE'],`
			`incomingSuperRoles => array[testCustomerAdmin(newCustomer)]`
			`);`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
introduces agent+guest role for role-system around debitor+partner 2022-10-12 15:48:56 +02:00			`perform createRoleWithGrants(`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`testPackageAdmin(NEW),`
introduces agent+guest role for role-system around debitor+partner 2022-10-12 15:48:56 +02:00			`incomingSuperRoles => array[testPackageOwner(NEW)]`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`);`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00
introduces agent+guest role for role-system around debitor+partner 2022-10-12 15:48:56 +02:00			`perform createRoleWithGrants(`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`testPackageTenant(NEW),`
			`permissions => array['SELECT'],`
			`incomingSuperRoles => array[testPackageAdmin(NEW)],`
			`outgoingSubRoles => array[testCustomerTenant(newCustomer)]`
			`);`
removing JHipster 2022-07-22 13:31:37 +02:00
add-trigger-object-to-rbacgrant (#18) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/18 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-02-24 09:04:07 +01:00			`call leaveTriggerForObjectUuid(NEW.uuid);`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`end; $$;`

			`/*`
			`AFTER INSERT TRIGGER to create the role+grant structure for a new test_package row.`
			`*/`

			`create or replace function insertTriggerForTestPackage_tf()`
			`returns trigger`
			`language plpgsql`
			`strict as $$`
			`begin`
			`call buildRbacSystemForTestPackage(NEW);`
formatted SQL code 2022-07-29 08:46:04 +02:00			`return NEW;`
			`end; $$;`
removing JHipster 2022-07-22 13:31:37 +02:00
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`create trigger insertTriggerForTestPackage_tg`
			`after insert on test_package`
			`for each row`
			`execute procedure insertTriggerForTestPackage_tf();`

			`--//`

			`-- ============================================================================`
			`--changeset test-package-rbac-update-trigger:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`

hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`/*`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`Called from the AFTER UPDATE TRIGGER to re-wire the grants.`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`*/`

initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`create or replace procedure updateRbacRulesForTestPackage(`
			`OLD test_package,`
			`NEW test_package`
			`)`
			`language plpgsql as $$`

			`declare`
			`oldCustomer test_customer;`
			`newCustomer test_customer;`

			`begin`
			`call enterTriggerForObjectUuid(NEW.uuid);`

			`SELECT * FROM test_customer c`
			`WHERE c.uuid= OLD.customerUuid`
			`into oldCustomer;`
			`SELECT * FROM test_customer c`
			`WHERE c.uuid= NEW.customerUuid`
			`into newCustomer;`

			`if NEW.customerUuid <> OLD.customerUuid then`

			`call revokePermissionFromRole(findPermissionId(OLD.uuid, 'INSERT'), testCustomerAdmin(oldCustomer));`

			`call revokeRoleFromRole(testPackageOwner(OLD), testCustomerAdmin(oldCustomer));`
			`call grantRoleToRole(testPackageOwner(NEW), testCustomerAdmin(newCustomer));`

			`call revokeRoleFromRole(testCustomerTenant(oldCustomer), testPackageTenant(OLD));`
			`call grantRoleToRole(testCustomerTenant(newCustomer), testPackageTenant(NEW));`

			`end if;`

			`call leaveTriggerForObjectUuid(NEW.uuid);`
			`end; $$;`

			`/*`
			`AFTER INSERT TRIGGER to re-wire the grant structure for a new test_package row.`
			`*/`

			`create or replace function updateTriggerForTestPackage_tf()`
			`returns trigger`
			`language plpgsql`
			`strict as $$`
			`begin`
			`call updateRbacRulesForTestPackage(OLD, NEW);`
			`return NEW;`
			`end; $$;`

			`create trigger updateTriggerForTestPackage_tg`
			`after update on test_package`
formatted SQL code 2022-07-29 08:46:04 +02:00			`for each row`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`execute procedure updateTriggerForTestPackage_tf();`

hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`

initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`-- ============================================================================`
			`--changeset test-package-rbac-INSERT:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`

			`/*`
			`Creates INSERT INTO test_package permissions for the related test_customer rows.`
			`*/`
			`do language plpgsql $$`
			`declare`
			`row test_customer;`
			`permissionUuid uuid;`
			`roleUuid uuid;`
			`begin`
fix currentContext resp. define Context and fix related fixme 2024-03-07 14:42:25 +01:00			`call defineContext('create INSERT INTO test_package permissions for the related test_customer rows');`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00
			`FOR row IN SELECT * FROM test_customer`
			`LOOP`
			`roleUuid := findRoleId(testCustomerAdmin(row));`
			`permissionUuid := createPermission(row.uuid, 'INSERT', 'test_package');`
			`call grantPermissionToRole(roleUuid, permissionUuid);`
			`END LOOP;`
			`END;`
			`$$;`

			`/**`
			`Adds test_package INSERT permission to specified role of new test_customer rows.`
			`*/`
			`create or replace function test_package_test_customer_insert_tf()`
			`returns trigger`
			`language plpgsql`
			`strict as $$`
			`begin`
			`call grantPermissionToRole(`
			`testCustomerAdmin(NEW),`
			`createPermission(NEW.uuid, 'INSERT', 'test_package'));`
			`return NEW;`
			`end; $$;`

			`create trigger test_package_test_customer_insert_tg`
			`after insert on test_customer`
			`for each row`
			`execute procedure test_package_test_customer_insert_tf();`

			`/**`
			`Checks if the user or assumed roles are allowed to insert a row to test_package.`
			`*/`
			`create or replace function test_package_insert_permission_missing_tf()`
			`returns trigger`
			`language plpgsql as $$`
			`begin`
fix TestCustomerControllerAcceptanceTest 2024-03-07 18:12:33 +01:00			`raise exception '[403] insert into test_package not allowed for current subjects % (%)',`
implement insert trigger if no explicit grant rule is specified 2024-03-07 12:26:07 +01:00			`currentSubjects(), currentSubjectsUuids();`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`end; $$;`

			`create trigger test_package_insert_permission_check_tg`
			`before insert on test_package`
			`for each row`
			`when ( not hasInsertPermission(NEW.customerUuid, 'INSERT', 'test_package') )`
			`execute procedure test_package_insert_permission_missing_tf();`

			`--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00			`-- ----------------------------------------------------------------------------`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`call generateRbacIdentityView('test_package', $idName$`
			`name`
			`$idName$);`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00			`--//`


			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`
initially working version of generated INSERT-Trigger WIP WIP 2024-03-06 08:44:23 +01:00			`call generateRbacRestrictedView('test_package',`
			`'name',`
introduces generateRbacRestrictedView to generate restricted view + triggers 2022-09-19 20:43:14 +02:00			$updates$
			`version = new.version,`
			`customerUuid = new.customerUuid,`
			`description = new.description`
			`$updates$);`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`
introduces generateRbacRestrictedView to generate restricted view + triggers 2022-09-19 20:43:14 +02:00