hs.hsadmin.ng/src/main/resources/db/changelog/2022-07-28-007-rbac-views.sql

--liquibase formatted sql

-- ============================================================================
--changeset rbac-views-ROLE-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Creates a view to the role table with row-level limitation
    based on the grants of the current user or assumed roles.
 */
drop view if exists rbacrole_rv;
create or replace view rbacrole_rv as
select DISTINCT r.*, o.objectTable,
       findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
    from rbacrole as r
    join rbacobject as o on o.uuid=r.objectuuid
    where isGranted(currentSubjectIds(), r.uuid);
grant all privileges on rbacrole_rv to restricted;
--//


-- ============================================================================
--changeset rbac-views-USER-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Creates a view to the users table with row-level limitation
    based on the grants of the current user or assumed roles.
 */
drop view if exists RbacUser_rv;
create or replace view RbacUser_rv as
select u.*
    from RbacUser as u
             join RbacGrants as g on g.ascendantuuid = u.uuid
             join rbacrole_rv as r on r.uuid = g.descendantuuid;
grant all privileges on RbacUser_rv to restricted;
--//


-- ============================================================================
--changeset rbac-views-OWN-GRANTED-PERMISSIONS-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Creates a view to all permissions granted to the current user or
    based on the grants of the current user or assumed roles.
 */
-- @formatter:off
drop view if exists RbacOwnGrantedPermissions_rv;
create or replace view RbacOwnGrantedPermissions_rv as
select r.uuid as roleuuid, p.uuid as permissionUuid,
       (r.objecttable || '#' || r.objectidname || '.' ||  r.roletype) as roleName, p.op,
       o.objecttable, r.objectidname, o.uuid as objectuuid
    from rbacrole_rv r
    join rbacgrants g on g.ascendantuuid = r.uuid
    join rbacpermission p on p.uuid = g.descendantuuid
    join rbacobject o on o.uuid = p.objectuuid;
grant all privileges on RbacOwnGrantedPermissions_rv to restricted;
-- @formatter:om

-- ============================================================================
--changeset rbac-views-GRANTED-PERMISSIONS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
    Returns all permissions granted to the given user,
    which are also visible to the current user or assumed roles.


 */
create or replace function grantedPermissions(userName varchar)
    returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, objectTable varchar, objectIdName varchar, objectUuid uuid)
    returns null on null input
    language plpgsql as $$
declare
    targetUserId uuid;
    currentUserId uuid;
begin
    -- @formatter:off
    if cardinality(assumedRoles()) > 0 then
        raise exception '[400] grantedPermissions(...) does not support assumed roles';
    end if;

    targetUserId := findRbacUserId(userName);
    currentUserId := currentUserId();

    if hasGlobalRoleGranted(targetUserId) and not hasGlobalRoleGranted(currentUserId) then
        raise exception '[403] permissions of user "%" are not accessible to user "%"', userName, currentUser();
    end if;

    return query select
        xp.roleUuid,
        (xp.roleObjectTable || '#' || xp.roleObjectIdName || '.' || xp.roleType) as roleName,
        xp.permissionUuid, xp.op, xp.permissionObjectTable, xp.permissionObjectIdName, xp.permissionObjectUuid
        from (select
                  r.uuid as roleUuid, r.roletype, ro.objectTable as roleObjectTable,
                  findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName,
                  p.uuid as permissionUuid, p.op, po.objecttable as permissionObjectTable,
                  findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
                  po.uuid as permissionObjectUuid
              from queryPermissionsGrantedToSubjectId( targetUserId) as p
              join rbacgrants as g on g.descendantUuid = p.uuid
              join rbacobject as po on po.uuid = p.objectUuid
              join rbacrole_rv as r on r.uuid = g.ascendantUuid
              join rbacobject as ro on ro.uuid = r.objectUuid
              where isGranted(targetUserId, r.uuid)
             ) xp;
    -- @formatter:on
end; $$;
add RbacUserController/-Entity/-Repository 2022-08-04 17:19:45 +02:00			`--liquibase formatted sql`

			`-- ============================================================================`
			`--changeset rbac-views-ROLE-RESTRICTED-VIEW:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`
			`/*`
			`Creates a view to the role table with row-level limitation`
			`based on the grants of the current user or assumed roles.`
			`*/`
			`drop view if exists rbacrole_rv;`
			`create or replace view rbacrole_rv as`
			`select DISTINCT r.*, o.objectTable,`
			`findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName`
			`from rbacrole as r`
			`join rbacobject as o on o.uuid=r.objectuuid`
			`where isGranted(currentSubjectIds(), r.uuid);`
			`grant all privileges on rbacrole_rv to restricted;`
			`--//`


			`-- ============================================================================`
			`--changeset rbac-views-USER-RESTRICTED-VIEW:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`
			`/*`
			`Creates a view to the users table with row-level limitation`
			`based on the grants of the current user or assumed roles.`
			`*/`
			`drop view if exists RbacUser_rv;`
			`create or replace view RbacUser_rv as`
			`select u.*`
			`from RbacUser as u`
			`join RbacGrants as g on g.ascendantuuid = u.uuid`
			`join rbacrole_rv as r on r.uuid = g.descendantuuid;`
			`grant all privileges on RbacUser_rv to restricted;`
			`--//`


			`-- ============================================================================`
			`--changeset rbac-views-OWN-GRANTED-PERMISSIONS-VIEW:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`
			`/*`
			`Creates a view to all permissions granted to the current user or`
			`based on the grants of the current user or assumed roles.`
			`*/`
			`-- @formatter:off`
			`drop view if exists RbacOwnGrantedPermissions_rv;`
			`create or replace view RbacOwnGrantedPermissions_rv as`
			`select r.uuid as roleuuid, p.uuid as permissionUuid,`
			`(r.objecttable \|\| '#' \|\| r.objectidname \|\| '.' \|\| r.roletype) as roleName, p.op,`
			`o.objecttable, r.objectidname, o.uuid as objectuuid`
			`from rbacrole_rv r`
			`join rbacgrants g on g.ascendantuuid = r.uuid`
			`join rbacpermission p on p.uuid = g.descendantuuid`
			`join rbacobject o on o.uuid = p.objectuuid;`
			`grant all privileges on RbacOwnGrantedPermissions_rv to restricted;`
			`-- @formatter:om`

			`-- ============================================================================`
			`--changeset rbac-views-GRANTED-PERMISSIONS:1 endDelimiter:--//`
			`-- ----------------------------------------------------------------------------`
			`/*`
			`Returns all permissions granted to the given user,`
			`which are also visible to the current user or assumed roles.`
add RbacUser* tests and improved http status codes 2022-08-05 14:31:54 +02:00

add RbacUserController/-Entity/-Repository 2022-08-04 17:19:45 +02:00			`*/`
			`create or replace function grantedPermissions(userName varchar)`
			`returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, objectTable varchar, objectIdName varchar, objectUuid uuid)`
			`returns null on null input`
			`language plpgsql as $$`
add RbacUser* tests and improved http status codes 2022-08-05 14:31:54 +02:00			`declare`
			`targetUserId uuid;`
			`currentUserId uuid;`
add RbacUserController/-Entity/-Repository 2022-08-04 17:19:45 +02:00			`begin`
			`-- @formatter:off`
			`if cardinality(assumedRoles()) > 0 then`
add RbacUser* tests and improved http status codes 2022-08-05 14:31:54 +02:00			`raise exception '[400] grantedPermissions(...) does not support assumed roles';`
			`end if;`

			`targetUserId := findRbacUserId(userName);`
			`currentUserId := currentUserId();`

			`if hasGlobalRoleGranted(targetUserId) and not hasGlobalRoleGranted(currentUserId) then`
			`raise exception '[403] permissions of user "%" are not accessible to user "%"', userName, currentUser();`
add RbacUserController/-Entity/-Repository 2022-08-04 17:19:45 +02:00			`end if;`

			`return query select`
			`xp.roleUuid,`
add RbacUser* tests and improved http status codes 2022-08-05 14:31:54 +02:00			`(xp.roleObjectTable \|\| '#' \|\| xp.roleObjectIdName \|\| '.' \|\| xp.roleType) as roleName,`
			`xp.permissionUuid, xp.op, xp.permissionObjectTable, xp.permissionObjectIdName, xp.permissionObjectUuid`
add RbacUserController/-Entity/-Repository 2022-08-04 17:19:45 +02:00			`from (select`
add RbacUser* tests and improved http status codes 2022-08-05 14:31:54 +02:00			`r.uuid as roleUuid, r.roletype, ro.objectTable as roleObjectTable,`
			`findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName,`
			`p.uuid as permissionUuid, p.op, po.objecttable as permissionObjectTable,`
			`findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,`
			`po.uuid as permissionObjectUuid`
			`from queryPermissionsGrantedToSubjectId( targetUserId) as p`
			`join rbacgrants as g on g.descendantUuid = p.uuid`
			`join rbacobject as po on po.uuid = p.objectUuid`
			`join rbacrole_rv as r on r.uuid = g.ascendantUuid`
			`join rbacobject as ro on ro.uuid = r.objectUuid`
			`where isGranted(targetUserId, r.uuid)`
add RbacUserController/-Entity/-Repository 2022-08-04 17:19:45 +02:00			`) xp;`
			`-- @formatter:on`
			`end; $$;`