hs.hsadmin.ng/sql/25-hs-emailaddress.sql

135 lines
4.7 KiB
MySQL
Raw Normal View History

2022-07-22 13:31:37 +02:00
-- ========================================================
-- EMailAddress example with RBAC
-- --------------------------------------------------------
SET SESSION SESSION AUTHORIZATION DEFAULT ;
CREATE TABLE IF NOT EXISTS EMailAddress (
uuid uuid UNIQUE REFERENCES RbacObject(uuid),
localPart character varying(64),
domainUuid uuid REFERENCES domain(uuid)
);
DROP TRIGGER IF EXISTS createRbacObjectForEMailAddress_Trigger ON EMailAddress;
CREATE TRIGGER createRbacObjectForEMailAddress_Trigger
BEFORE INSERT ON EMailAddress
FOR EACH ROW EXECUTE PROCEDURE createRbacObject();
CREATE OR REPLACE FUNCTION emailAddressOwner(emailAddress varchar)
RETURNS varchar
LANGUAGE plpgsql STRICT AS $$
begin
return roleName('emailaddress', emailAddress, 'owner');
end; $$;
CREATE OR REPLACE FUNCTION emailAddressAdmin(emailAddress varchar)
RETURNS varchar
LANGUAGE plpgsql STRICT AS $$
begin
return roleName('emailaddress', emailAddress, 'admin');
end; $$;
2022-07-22 13:31:37 +02:00
CREATE OR REPLACE FUNCTION createRbacRulesForEMailAddress()
RETURNS trigger
LANGUAGE plpgsql STRICT AS $$
DECLARE
parentDomain record;
eMailAddress varchar;
eMailAddressOwnerRoleUuid uuid;
2022-07-22 13:31:37 +02:00
BEGIN
IF TG_OP <> 'INSERT' THEN
RAISE EXCEPTION 'invalid usage of TRIGGER AFTER INSERT';
END IF;
SELECT d.name as name, u.name as unixUserName FROM domain d
LEFT JOIN unixuser u ON u.uuid = d.unixuseruuid
WHERE d.uuid=NEW.domainUuid into parentDomain;
2022-07-22 13:31:37 +02:00
eMailAddress = NEW.localPart || '@' || parentDomain.name;
-- an owner role is created and assigned to the domains's admin group
eMailAddressOwnerRoleUuid = createRole(
emailAddressOwner(eMailAddress),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['*']),
beneathRole(domainAdmin( parentDomain.unixUserName, parentDomain.name))
);
-- and an admin role is created and assigned to the unixuser owner as well
perform createRole(
emailAddressAdmin(eMailAddress),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['edit']),
beneathRole(eMailAddressOwnerRoleUuid),
beingItselfA(domainTenant(parentDomain.unixUserName, parentDomain.name))
);
2022-07-22 13:31:37 +02:00
RETURN NEW;
END; $$;
DROP TRIGGER IF EXISTS createRbacRulesForEMailAddress_Trigger ON EMailAddress;
CREATE TRIGGER createRbacRulesForEMailAddress_Trigger
AFTER INSERT ON EMailAddress
FOR EACH ROW EXECUTE PROCEDURE createRbacRulesForEMailAddress();
-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForEMailAddress()
2022-07-27 12:32:54 +02:00
-- create RBAC-restricted view
2022-07-22 13:31:37 +02:00
2022-07-27 12:32:54 +02:00
-- automatically updatable, but slow with WHERE IN
2022-07-22 13:31:37 +02:00
SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS EMailAddress_rv;
CREATE OR REPLACE VIEW EMailAddress_rv AS
SELECT DISTINCT target.*
FROM EMailAddress AS target
2022-07-27 12:32:54 +02:00
WHERE target.uuid IN (SELECT DISTINCT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'emailaddress', currentSubjectIds()));
2022-07-22 13:31:37 +02:00
GRANT ALL PRIVILEGES ON EMailAddress_rv TO restricted;
2022-07-27 12:32:54 +02:00
-- not automatically updatable, but fast with JOIN
SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS EMailAddress_rv;
CREATE OR REPLACE VIEW EMailAddress_rv AS
SELECT target.*
FROM EMailAddress AS target
WHERE target.uuid IN (SELECT DISTINCT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'emailaddress', currentSubjectIds()));
GRANT ALL PRIVILEGES ON EMailAddress_rv TO restricted;
2022-07-22 13:31:37 +02:00
-- generate EMailAddress test data
DO LANGUAGE plpgsql $$
DECLARE
2022-07-27 12:32:54 +02:00
dom record;
2022-07-22 13:31:37 +02:00
pacAdmin varchar;
currentTask varchar;
BEGIN
SET hsadminng.currentUser TO '';
2022-07-27 12:32:54 +02:00
FOR dom IN (
SELECT d.uuid, d.name, p.name as packageName
FROM domain d
JOIN unixuser u ON u.uuid = d.unixuseruuid
JOIN package p ON u.packageuuid = p.uuid
JOIN customer c ON p.customeruuid = c.uuid
-- WHERE c.reference >= 18000
) LOOP
FOR t IN 0..4 LOOP
2022-07-22 13:31:37 +02:00
currentTask = 'creating RBAC test EMailAddress #' || t || ' for Domain ' || dom.name;
RAISE NOTICE 'task: %', currentTask;
2022-07-27 12:32:54 +02:00
pacAdmin = 'admin@' || dom.packageName || '.example.com';
2022-07-22 13:31:37 +02:00
SET LOCAL hsadminng.currentUser TO pacAdmin;
SET LOCAL hsadminng.assumedRoles = '';
SET LOCAL hsadminng.currentTask TO currentTask;
INSERT INTO EMailAddress (localPart, domainUuid)
VALUES ('local' || t, dom.uuid);
2022-07-22 13:31:37 +02:00
COMMIT;
END LOOP;
END LOOP;
END;
$$;