hs.hsadmin.ng/src/main/resources/db/changelog/123-test-package-rbac.sql

--liquibase formatted sql

-- ============================================================================
--changeset test-package-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('test_package');
--//


-- ============================================================================
--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('testPackage', 'test_package');
--//


-- ============================================================================
--changeset test-package-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER.
 */
create or replace function createRbacRolesForTestPackage()
    returns trigger
    language plpgsql
    strict as $$
declare
    parentCustomer       test_customer;
    packageOwnerRoleUuid uuid;
    packageAdminRoleUuid uuid;
begin
    if TG_OP <> 'INSERT' then
        raise exception 'invalid usage of TRIGGER AFTER INSERT';
    end if;

    select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer;

    -- an owner role is created and assigned to the customer's admin role
    packageOwnerRoleUuid = createRole(
        testPackageOwner(NEW),
        withoutPermissions(),
        beneathRole(testCustomerAdmin(parentCustomer))
        );

    -- an owner role is created and assigned to the package owner role
    packageAdminRoleUuid = createRole(
        testPackageAdmin(NEW),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-domain']),
        beneathRole(packageOwnerRoleUuid)
        );

    -- and a package tenant role is created and assigned to the package admin as well
    perform createRole(
        testPackageTenant(NEW),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
        beneathRole(packageAdminRoleUuid),
        beingItselfA(testCustomerTenant(parentCustomer))
        );

    return NEW;
end; $$;

/*
    An AFTER INSERT TRIGGER which creates the role structure for a new package.
 */

drop trigger if exists createRbacRolesForTestPackage_Trigger on test_package;
create trigger createRbacRolesForTestPackage_Trigger
    after insert
    on test_package
    for each row
execute procedure createRbacRolesForTestPackage();
--//


-- ============================================================================
--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates a view to the package main table which maps the identifying name
    (in this case, actually the column `name`) to the objectUuid.
 */
drop view if exists test_package_iv;
create or replace view test_package_iv as
select distinct target.uuid, target.name as idName
    from test_package as target;
-- TODO: Is it ok that everybody has access to this information?
grant all privileges on test_package_iv to restricted;

/*
    Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
 */
create or replace function test_packageUuidByIdName(idName varchar)
    returns uuid
    language sql
    strict as $$
select uuid from test_package_iv iv where iv.idName = test_packageUuidByIdName.idName;
$$;

/*
    Returns the identifying name for a given objectUuid (in this case the name).
 */
create or replace function test_packageIdNameByUuid(uuid uuid)
    returns varchar
    stable leakproof
    language sql
    strict as $$
select idName from test_package_iv iv where iv.uuid = test_packageIdNameByUuid.uuid;
$$;
--//


-- ============================================================================
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------

/*
    Creates a view to the customer main table which maps the identifying name
    (in this case, the prefix) to the objectUuid.
 */
drop view if exists test_package_rv;
create or replace view test_package_rv as
select target.*
    from test_package as target
    where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
    order by target.name;
grant all privileges on test_package_rv to restricted;
--//
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--liquibase formatted sql`

			`-- ============================================================================`
introduce 058-rbac-generators.sql with generateRelatedRbacObject+generateRbacRoleDescriptors 2022-09-16 15:25:58 +02:00			`--changeset test-package-rbac-OBJECT:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`
introduce 058-rbac-generators.sql with generateRelatedRbacObject+generateRbacRoleDescriptors 2022-09-16 15:25:58 +02:00			`call generateRelatedRbacObject('test_package');`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`
removing JHipster 2022-07-22 13:31:37 +02:00

hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`
introduce 058-rbac-generators.sql with generateRelatedRbacObject+generateRbacRoleDescriptors 2022-09-16 15:25:58 +02:00			`call generateRbacRoleDescriptors('testPackage', 'test_package');`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00

hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-package-rbac-ROLES-CREATION:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`
			`/*`
			`Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER.`
			`*/`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create or replace function createRbacRolesForTestPackage()`
formatted SQL code 2022-07-29 08:46:04 +02:00			`returns trigger`
			`language plpgsql`
			`strict as $$`
			`declare`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`parentCustomer test_customer;`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`packageOwnerRoleUuid uuid;`
			`packageAdminRoleUuid uuid;`
formatted SQL code 2022-07-29 08:46:04 +02:00			`begin`
			`if TG_OP <> 'INSERT' then`
			`raise exception 'invalid usage of TRIGGER AFTER INSERT';`
			`end if;`
removing JHipster 2022-07-22 13:31:37 +02:00
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer;`
removing JHipster 2022-07-22 13:31:37 +02:00
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`-- an owner role is created and assigned to the customer's admin role`
			`packageOwnerRoleUuid = createRole(`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`testPackageOwner(NEW),`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`withoutPermissions(),`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`beneathRole(testCustomerAdmin(parentCustomer))`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`);`

			`-- an owner role is created and assigned to the package owner role`
			`packageAdminRoleUuid = createRole(`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`testPackageAdmin(NEW),`
replace unixuser test entities with domain 2022-08-31 14:57:15 +02:00			`grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-domain']),`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`beneathRole(packageOwnerRoleUuid)`
			`);`

			`-- and a package tenant role is created and assigned to the package admin as well`
			`perform createRole(`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`testPackageTenant(NEW),`
formatted SQL code 2022-07-29 08:46:04 +02:00			`grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`beneathRole(packageAdminRoleUuid),`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`beingItselfA(testCustomerTenant(parentCustomer))`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`);`
removing JHipster 2022-07-22 13:31:37 +02:00
formatted SQL code 2022-07-29 08:46:04 +02:00			`return NEW;`
			`end; $$;`
removing JHipster 2022-07-22 13:31:37 +02:00
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`/*`
			`An AFTER INSERT TRIGGER which creates the role structure for a new package.`
			`*/`

use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`drop trigger if exists createRbacRolesForTestPackage_Trigger on test_package;`
			`create trigger createRbacRolesForTestPackage_Trigger`
formatted SQL code 2022-07-29 08:46:04 +02:00			`after insert`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`on test_package`
formatted SQL code 2022-07-29 08:46:04 +02:00			`for each row`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`execute procedure createRbacRolesForTestPackage();`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`


			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00			`-- ----------------------------------------------------------------------------`

			`/*`
			`Creates a view to the package main table which maps the identifying name`
			(in this case, actually the column `name`) to the objectUuid.
			`*/`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`drop view if exists test_package_iv;`
			`create or replace view test_package_iv as`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00			`select distinct target.uuid, target.name as idName`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`from test_package as target;`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00			`-- TODO: Is it ok that everybody has access to this information?`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`grant all privileges on test_package_iv to restricted;`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00
			`/*`
			Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
			`*/`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create or replace function test_packageUuidByIdName(idName varchar)`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00			`returns uuid`
			`language sql`
			`strict as $$`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`select uuid from test_package_iv iv where iv.idName = test_packageUuidByIdName.idName;`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00			`$$;`
add RbacRole... 2022-08-03 06:12:16 +02:00
			`/*`
			`Returns the identifying name for a given objectUuid (in this case the name).`
			`*/`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`create or replace function test_packageIdNameByUuid(uuid uuid)`
add RbacRole... 2022-08-03 06:12:16 +02:00			`returns varchar`
add RbacUserController/-Entity/-Repository 2022-08-04 17:19:45 +02:00			`stable leakproof`
add RbacRole... 2022-08-03 06:12:16 +02:00			`language sql`
			`strict as $$`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`select idName from test_package_iv iv where iv.uuid = test_packageIdNameByUuid.uuid;`
add RbacRole... 2022-08-03 06:12:16 +02:00			`$$;`
make package owner/admin/tenant roles assumable 2022-07-29 16:25:46 +02:00			`--//`


			`-- ============================================================================`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`-- ----------------------------------------------------------------------------`

			`/*`
			`Creates a view to the customer main table which maps the identifying name`
			`(in this case, the prefix) to the objectUuid.`
			`*/`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`drop view if exists test_package_rv;`
			`create or replace view test_package_rv as`
add-customer and introducing JpaAttempt test helper 2022-08-02 11:51:36 +02:00			`select target.*`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`from test_package as target`
			`where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))`
add updatePackage (description) using JsonNullableModule and HTTP-to-DB test with RestAssured 2022-08-09 17:51:50 +02:00			`order by target.name;`
use customer/package/unixuser only as test data structure (DB part) 2022-08-31 09:42:40 +02:00			`grant all privileges on test_package_rv to restricted;`
hs-package SQL-Scripts in Liquibase and some bugfixes 2022-07-29 12:37:40 +02:00			`--//`