hs.hsadmin.ng/src/main/resources/db/changelog/203-hs-office-contact-rbac.sql

--liquibase formatted sql

-- ============================================================================
--changeset hs-office-contact-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_contact');
--//


-- ============================================================================
--changeset hs-office-contact-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeContact', 'hs_office_contact');
--//


-- ============================================================================
--changeset hs-office-contact-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates the roles and their assignments for a new contact for the AFTER INSERT TRIGGER.
 */

create or replace function createRbacRolesForHsOfficeContact()
    returns trigger
    language plpgsql
    strict as $$
begin
    if TG_OP <> 'INSERT' then
        raise exception 'invalid usage of TRIGGER AFTER INSERT';
    end if;

    perform createRoleWithGrants(
            hsOfficeContactOwner(NEW),
            permissions => array['DELETE'],
            incomingSuperRoles => array[globalAdmin()],
            userUuids => array[currentUserUuid()],
            grantedByRole => globalAdmin()
        );

    perform createRoleWithGrants(
            hsOfficeContactAdmin(NEW),
            permissions => array['UPDATE'],
            incomingSuperRoles => array[hsOfficeContactOwner(NEW)]
        );

    perform createRoleWithGrants(
            hsOfficeContactReferrer(NEW),
            permissions => array['SELECT'],
            incomingSuperRoles => array[hsOfficeContactAdmin(NEW)]
        );

    return NEW;
end; $$;

/*
    An AFTER INSERT TRIGGER which creates the role structure for a new customer.
 */

create trigger createRbacRolesForHsOfficeContact_Trigger
    after insert
    on hs_office_contact
    for each row
execute procedure createRbacRolesForHsOfficeContact();
--//


-- ============================================================================
--changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

call generateRbacIdentityViewFromProjection('hs_office_contact', $idName$
    target.label
    $idName$);
--//


-- ============================================================================
--changeset hs-office-contact-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_contact', 'target.label',
    $updates$
        label = new.label,
        postalAddress = new.postalAddress,
        emailAddresses = new.emailAddresses,
        phoneNumbers = new.phoneNumbers
    $updates$);
--/


-- ============================================================================
--changeset hs-office-contact-rbac-NEW-CONTACT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Creates a global permission for new-contact and assigns it to the hostsharing admins role.
 */
do language plpgsql $$
    declare
        addCustomerPermissions  uuid[];
        globalObjectUuid        uuid;
        globalAdminRoleUuid     uuid;
    begin
        call defineContext('granting global new-contact permission to global admin role', null, null, null);

        globalAdminRoleUuid := findRoleId(globalAdmin());
        globalObjectUuid := (select uuid from global);
        addCustomerPermissions := createPermissions(globalObjectUuid, array ['new-contact']);
        call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);
    end;
$$;

/**
    Used by the trigger to prevent the add-customer to current user respectively assumed roles.
 */
create or replace function addHsOfficeContactNotAllowedForCurrentSubjects()
    returns trigger
    language PLPGSQL
as $$
begin
    raise exception '[403] new-contact not permitted for %',
        array_to_string(currentSubjects(), ';', 'null');
end; $$;

/**
    Checks if the user or assumed roles are allowed to create a new customer.
 */
create trigger hs_office_contact_insert_trigger
    before insert
    on hs_office_contact
    for each row
    -- TODO.spec: who is allowed to create new contacts
    when ( not hasAssumedRole() )
execute procedure addHsOfficeContactNotAllowedForCurrentSubjects();
--//
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`--liquibase formatted sql`

			`-- ============================================================================`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`--changeset hs-office-contact-rbac-OBJECT:1 endDelimiter:--//`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`-- ----------------------------------------------------------------------------`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`call generateRelatedRbacObject('hs_office_contact');`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`--//`

consolidating role deletion from business objects to rbac system 2022-09-13 10:58:54 +02:00
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`-- ============================================================================`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`--changeset hs-office-contact-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`-- ----------------------------------------------------------------------------`
introduce 058-rbac-generators.sql with generateRelatedRbacObject+generateRbacRoleDescriptors 2022-09-16 15:25:58 +02:00			`call generateRbacRoleDescriptors('hsOfficeContact', 'hs_office_contact');`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`--//`


			`-- ============================================================================`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`--changeset hs-office-contact-rbac-ROLES-CREATION:1 endDelimiter:--//`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`-- ----------------------------------------------------------------------------`

			`/*`
			`Creates the roles and their assignments for a new contact for the AFTER INSERT TRIGGER.`
			`*/`

HsOfficePartnerControllerAcceptanceTest against real repo+db 2022-09-14 09:24:19 +02:00			`create or replace function createRbacRolesForHsOfficeContact()`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`returns trigger`
			`language plpgsql`
			`strict as $$`
			`begin`
			`if TG_OP <> 'INSERT' then`
			`raise exception 'invalid usage of TRIGGER AFTER INSERT';`
			`end if;`

introduces agent+guest role for role-system around debitor+partner 2022-10-12 15:48:56 +02:00			`perform createRoleWithGrants(`
			`hsOfficeContactOwner(NEW),`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`permissions => array['DELETE'],`
introduces agent+guest role for role-system around debitor+partner 2022-10-12 15:48:56 +02:00			`incomingSuperRoles => array[globalAdmin()],`
			`userUuids => array[currentUserUuid()],`
			`grantedByRole => globalAdmin()`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`);`

introduces agent+guest role for role-system around debitor+partner 2022-10-12 15:48:56 +02:00			`perform createRoleWithGrants(`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`hsOfficeContactAdmin(NEW),`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`permissions => array['UPDATE'],`
introduces agent+guest role for role-system around debitor+partner 2022-10-12 15:48:56 +02:00			`incomingSuperRoles => array[hsOfficeContactOwner(NEW)]`
add partner business object at repo level (WIP) 2022-09-09 17:43:43 +02:00			`);`

introduces agent+guest role for role-system around debitor+partner 2022-10-12 15:48:56 +02:00			`perform createRoleWithGrants(`
fix relationship-related grants (WIP) 2024-02-08 17:36:49 +01:00			`hsOfficeContactReferrer(NEW),`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`permissions => array['SELECT'],`
fix relationship-related grants (WIP) 2024-02-08 17:36:49 +01:00			`incomingSuperRoles => array[hsOfficeContactAdmin(NEW)]`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`);`

			`return NEW;`
			`end; $$;`

			`/*`
			`An AFTER INSERT TRIGGER which creates the role structure for a new customer.`
			`*/`

HsOfficePartnerControllerAcceptanceTest against real repo+db 2022-09-14 09:24:19 +02:00			`create trigger createRbacRolesForHsOfficeContact_Trigger`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`after insert`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`on hs_office_contact`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`for each row`
HsOfficePartnerControllerAcceptanceTest against real repo+db 2022-09-14 09:24:19 +02:00			`execute procedure createRbacRolesForHsOfficeContact();`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`--//`


			`-- ============================================================================`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`--changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--//`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`-- ----------------------------------------------------------------------------`

RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`call generateRbacIdentityViewFromProjection('hs_office_contact', $idName$`
introduces generateRbacIdentityView to generate identity views 2022-09-16 16:14:39 +02:00			`target.label`
			`$idName$);`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`--//`


			`-- ============================================================================`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`--changeset hs-office-contact-rbac-RESTRICTED-VIEW:1 endDelimiter:--//`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`-- ----------------------------------------------------------------------------`
introduces generateRbacRestrictedView to generate restricted view + triggers 2022-09-19 20:43:14 +02:00			`call generateRbacRestrictedView('hs_office_contact', 'target.label',`
			$updates$
			`label = new.label,`
			`postalAddress = new.postalAddress,`
			`emailAddresses = new.emailAddresses,`
			`phoneNumbers = new.phoneNumbers`
			`$updates$);`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`--/`

introduces generateRbacRestrictedView to generate restricted view + triggers 2022-09-19 20:43:14 +02:00
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`-- ============================================================================`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`--changeset hs-office-contact-rbac-NEW-CONTACT:1 endDelimiter:--//`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`-- ----------------------------------------------------------------------------`
			`/*`
prepare hs-admin-customer files to be used as template + generate script v1 2022-09-07 14:04:45 +02:00			`Creates a global permission for new-contact and assigns it to the hostsharing admins role.`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`*/`
			`do language plpgsql $$`
			`declare`
			`addCustomerPermissions uuid[];`
			`globalObjectUuid uuid;`
initial data import for hs-office tables (db-migration #10) Co-authored-by: Michael Hoennig <michael@hoennig.de> Co-authored-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/10 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-01-23 15:11:23 +01:00			`globalAdminRoleUuid uuid;`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`begin`
prepare hs-admin-customer files to be used as template + generate script v1 2022-09-07 14:04:45 +02:00			`call defineContext('granting global new-contact permission to global admin role', null, null, null);`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00
			`globalAdminRoleUuid := findRoleId(globalAdmin());`
			`globalObjectUuid := (select uuid from global);`
prepare hs-admin-customer files to be used as template + generate script v1 2022-09-07 14:04:45 +02:00			`addCustomerPermissions := createPermissions(globalObjectUuid, array ['new-contact']);`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);`
			`end;`
			`$$;`

			`/**`
			`Used by the trigger to prevent the add-customer to current user respectively assumed roles.`
			`*/`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`create or replace function addHsOfficeContactNotAllowedForCurrentSubjects()`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`returns trigger`
			`language PLPGSQL`
			`as $$`
			`begin`
prepare hs-admin-customer files to be used as template + generate script v1 2022-09-07 14:04:45 +02:00			`raise exception '[403] new-contact not permitted for %',`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`array_to_string(currentSubjects(), ';', 'null');`
			`end; $$;`

			`/**`
			`Checks if the user or assumed roles are allowed to create a new customer.`
			`*/`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`create trigger hs_office_contact_insert_trigger`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`before insert`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`on hs_office_contact`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`for each row`
			`-- TODO.spec: who is allowed to create new contacts`
			`when ( not hasAssumedRole() )`
rename hs-admin to hs-office regarding the module name 2022-09-13 13:27:52 +02:00			`execute procedure addHsOfficeContactNotAllowedForCurrentSubjects();`
add hs_admin_contact table and repository with findContactByOptionalLabelLike+save 2022-09-06 19:43:15 +02:00			`--//`