2022-08-14 16:44:26 +02:00
|
|
|
--liquibase formatted sql
|
|
|
|
|
|
|
|
-- ============================================================================
|
2022-09-16 15:25:58 +02:00
|
|
|
--changeset test-domain-rbac-OBJECT:1 endDelimiter:--//
|
2022-08-14 16:44:26 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
2022-09-16 15:25:58 +02:00
|
|
|
call generateRelatedRbacObject('test_domain');
|
2022-08-14 16:44:26 +02:00
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
2022-08-31 14:57:15 +02:00
|
|
|
--changeset test-domain-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
2022-08-14 16:44:26 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
2022-09-16 15:25:58 +02:00
|
|
|
call generateRbacRoleDescriptors('testDomain', 'test_domain');
|
2022-08-14 16:44:26 +02:00
|
|
|
|
2022-08-31 14:57:15 +02:00
|
|
|
create or replace function createTestDomainTenantRoleIfNotExists(domain test_domain)
|
2022-08-14 16:44:26 +02:00
|
|
|
returns uuid
|
|
|
|
returns null on null input
|
|
|
|
language plpgsql as $$
|
|
|
|
declare
|
2022-08-31 14:57:15 +02:00
|
|
|
domainTenantRoleDesc RbacRoleDescriptor;
|
|
|
|
domainTenantRoleUuid uuid;
|
2022-08-14 16:44:26 +02:00
|
|
|
begin
|
2022-08-31 14:57:15 +02:00
|
|
|
domainTenantRoleDesc = testdomainTenant(domain);
|
|
|
|
domainTenantRoleUuid = findRoleId(domainTenantRoleDesc);
|
|
|
|
if domainTenantRoleUuid is not null then
|
|
|
|
return domainTenantRoleUuid;
|
2022-08-14 16:44:26 +02:00
|
|
|
end if;
|
|
|
|
|
|
|
|
return createRole(
|
2022-08-31 14:57:15 +02:00
|
|
|
domainTenantRoleDesc,
|
|
|
|
grantingPermissions(forObjectUuid => domain.uuid, permitOps => array ['view']),
|
|
|
|
beneathRole(testdomainAdmin(domain))
|
2022-08-14 16:44:26 +02:00
|
|
|
);
|
|
|
|
end; $$;
|
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
2022-08-31 14:57:15 +02:00
|
|
|
--changeset test-domain-rbac-ROLES-CREATION:1 endDelimiter:--//
|
2022-08-14 16:44:26 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
/*
|
2022-08-31 14:57:15 +02:00
|
|
|
Creates the roles and their assignments for a new domain for the AFTER INSERT TRIGGER.
|
2022-08-14 16:44:26 +02:00
|
|
|
*/
|
|
|
|
|
2022-08-31 14:57:15 +02:00
|
|
|
create or replace function createRbacRulesForTestDomain()
|
2022-08-14 16:44:26 +02:00
|
|
|
returns trigger
|
|
|
|
language plpgsql
|
|
|
|
strict as $$
|
|
|
|
declare
|
2022-08-31 09:42:40 +02:00
|
|
|
parentPackage test_package;
|
2022-08-31 14:57:15 +02:00
|
|
|
domainOwnerRoleId uuid;
|
|
|
|
domainAdminRoleId uuid;
|
2022-08-14 16:44:26 +02:00
|
|
|
begin
|
|
|
|
if TG_OP <> 'INSERT' then
|
|
|
|
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
|
|
|
end if;
|
|
|
|
|
2022-08-31 09:42:40 +02:00
|
|
|
select * from test_package where uuid = NEW.packageUuid into parentPackage;
|
2022-08-14 16:44:26 +02:00
|
|
|
|
|
|
|
-- an owner role is created and assigned to the package's admin group
|
2022-08-31 14:57:15 +02:00
|
|
|
domainOwnerRoleId = createRole(
|
|
|
|
testdomainOwner(NEW),
|
2022-08-14 16:44:26 +02:00
|
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
2022-08-31 09:42:40 +02:00
|
|
|
beneathRole(testPackageAdmin(parentPackage))
|
2022-08-14 16:44:26 +02:00
|
|
|
);
|
|
|
|
|
2022-08-31 14:57:15 +02:00
|
|
|
-- and a domain admin role is created and assigned to the domain owner as well
|
|
|
|
domainAdminRoleId = createRole(
|
|
|
|
testdomainAdmin(NEW),
|
2022-08-14 16:44:26 +02:00
|
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
2022-08-31 14:57:15 +02:00
|
|
|
beneathRole(domainOwnerRoleId),
|
2022-08-31 09:42:40 +02:00
|
|
|
beingItselfA(testPackageTenant(parentPackage))
|
2022-08-14 16:44:26 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
-- a tenent role is only created on demand
|
|
|
|
|
|
|
|
return NEW;
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
2022-08-31 14:57:15 +02:00
|
|
|
An AFTER INSERT TRIGGER which creates the role structure for a new domain.
|
2022-08-14 16:44:26 +02:00
|
|
|
*/
|
2022-08-31 14:57:15 +02:00
|
|
|
drop trigger if exists createRbacRulesForTestDomain_Trigger on test_domain;
|
|
|
|
create trigger createRbacRulesForTestDomain_Trigger
|
2022-08-14 16:44:26 +02:00
|
|
|
after insert
|
2022-08-31 14:57:15 +02:00
|
|
|
on test_domain
|
2022-08-14 16:44:26 +02:00
|
|
|
for each row
|
2022-08-31 14:57:15 +02:00
|
|
|
execute procedure createRbacRulesForTestDomain();
|
2022-08-14 16:44:26 +02:00
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
2022-08-31 14:57:15 +02:00
|
|
|
--changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
2022-08-14 16:44:26 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
2022-09-16 16:14:39 +02:00
|
|
|
call generateRbacIdentityView('test_domain', $idName$
|
|
|
|
target.name
|
|
|
|
$idName$);
|
2022-08-14 16:44:26 +02:00
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
2022-09-19 20:43:14 +02:00
|
|
|
--changeset test-domain-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
2022-08-14 16:44:26 +02:00
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
/*
|
|
|
|
Creates a view to the customer main table which maps the identifying name
|
|
|
|
(in this case, the prefix) to the objectUuid.
|
|
|
|
*/
|
2022-08-31 14:57:15 +02:00
|
|
|
drop view if exists test_domain_rv;
|
|
|
|
create or replace view test_domain_rv as
|
2022-08-14 16:44:26 +02:00
|
|
|
select target.*
|
2022-08-31 14:57:15 +02:00
|
|
|
from test_domain as target
|
|
|
|
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids()));
|
|
|
|
grant all privileges on test_domain_rv to restricted;
|
2022-08-14 16:44:26 +02:00
|
|
|
--//
|