hs.hsadmin.ng/sql/24-hs-domain.sql


-- ========================================================
-- Domain example with RBAC
-- --------------------------------------------------------

SET SESSION SESSION AUTHORIZATION DEFAULT ;

CREATE TABLE IF NOT EXISTS Domain (
    uuid uuid UNIQUE REFERENCES RbacObject(uuid),
    name character varying(32),
    unixUserUuid uuid REFERENCES unixuser(uuid)
);

DROP TRIGGER IF EXISTS createRbacObjectForDomain_Trigger ON Domain;
CREATE TRIGGER createRbacObjectForDomain_Trigger
    BEFORE INSERT ON Domain
    FOR EACH ROW EXECUTE PROCEDURE createRbacObject();

CREATE OR REPLACE FUNCTION domainOwner(unixUserName varchar, domainName varchar)
    RETURNS varchar
    LANGUAGE plpgsql STRICT AS $$
begin
    return roleName('domain', unixUserName || '/' || domainName, 'owner');
end; $$;

CREATE OR REPLACE FUNCTION domainAdmin(unixUserName varchar, domainName varchar)
    RETURNS varchar
    LANGUAGE plpgsql STRICT AS $$
begin
    return roleName('domain', unixUserName || '/' || domainName, 'admin');
end; $$;

CREATE OR REPLACE FUNCTION domainTenant(unixUserName varchar, domainName varchar)
    RETURNS varchar
    LANGUAGE plpgsql STRICT AS $$
begin
    return roleName('domain', unixUserName || '/' || domainName, 'tenant');
end; $$;


CREATE OR REPLACE FUNCTION createRbacRulesForDomain()
    RETURNS trigger
    LANGUAGE plpgsql STRICT AS $$
DECLARE
    parentUser unixuser;
    domainOwnerRoleUuid uuid;
    domainAdminRoleUuid uuid;
BEGIN
    IF TG_OP <> 'INSERT' THEN
        RAISE EXCEPTION 'invalid usage of TRIGGER AFTER INSERT';
    END IF;

    SELECT * FROM unixuser WHERE uuid=NEW.unixUserUuid into parentUser;

    -- a domain owner role is created and assigned to the unixuser's admin role
    domainOwnerRoleUuid = createRole(
        domainOwner(parentUser.name, NEW.name),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['*']),
        beneathRole(unixUserAdmin(parentUser.name))
        );

    -- a domain admin role is created and assigned to the domain's owner role
    domainAdminRoleUuid = createRole(
        domainAdmin(parentUser.name, NEW.name),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['edit', 'add-emailaddress']),
        beneathRole(domainOwnerRoleUuid)
        );

    -- and a domain tenant role is created and assigned to the domain's admiin role
    perform createRole(
        domainTenant(parentUser.name, NEW.name),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['*']),
        beneathRole(domainAdminRoleUuid),
        beingItselfA(createUnixUserTenantRoleIfNotExists(parentUser))
        );

    RETURN NEW;
END; $$;

DROP TRIGGER IF EXISTS createRbacRulesForDomain_Trigger ON Domain;
CREATE TRIGGER createRbacRulesForDomain_Trigger
    AFTER INSERT ON Domain
    FOR EACH ROW EXECUTE PROCEDURE createRbacRulesForDomain();

-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForDomain()


-- create RBAC restricted view

SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE Domain ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS domain_rv;
CREATE OR REPLACE VIEW domain_rv AS
    SELECT DISTINCT target.*
      FROM Domain AS target
      JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'domain', currentSubjectIds()) AS allowedObjId
           ON target.uuid = allowedObjId;
GRANT ALL PRIVILEGES ON domain_rv TO restricted;


-- generate Domain test data

DO LANGUAGE plpgsql $$
    DECLARE
        uu unixuser;
        pac package;
        pacAdmin varchar;
        currentTask varchar;
    BEGIN
        SET hsadminng.currentUser TO '';

        FOR uu IN (SELECT * FROM unixuser) LOOP
            IF ( random() < 0.3 ) THEN
                FOR t IN 0..1 LOOP
                    currentTask = 'creating RBAC test Domain #' || t || ' for UnixUser ' || uu.name|| ' #' || uu.uuid;
                    RAISE NOTICE 'task: %', currentTask;

                    SELECT * FROM package WHERE uuid=uu.packageUuid INTO pac;
                    pacAdmin = 'admin@' || pac.name || '.example.com';
                    SET LOCAL hsadminng.currentUser TO pacAdmin;
                    SET LOCAL hsadminng.assumedRoles = '';
                    SET LOCAL hsadminng.currentTask TO currentTask;

                    INSERT INTO Domain (name, unixUserUuid)
                        VALUES ('dom-' || t || '.' || uu.name || '.example.org' , uu.uuid);

                    COMMIT;
                END LOOP;
            END IF;
        END LOOP;

    END;
$$;
removing JHipster 2022-07-22 13:31:37 +02:00
			`-- ========================================================`
			`-- Domain example with RBAC`
			`-- --------------------------------------------------------`

			`SET SESSION SESSION AUTHORIZATION DEFAULT ;`

			`CREATE TABLE IF NOT EXISTS Domain (`
			`uuid uuid UNIQUE REFERENCES RbacObject(uuid),`
			`name character varying(32),`
			`unixUserUuid uuid REFERENCES unixuser(uuid)`
			`);`

			`DROP TRIGGER IF EXISTS createRbacObjectForDomain_Trigger ON Domain;`
			`CREATE TRIGGER createRbacObjectForDomain_Trigger`
			`BEFORE INSERT ON Domain`
			`FOR EACH ROW EXECUTE PROCEDURE createRbacObject();`

improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`CREATE OR REPLACE FUNCTION domainOwner(unixUserName varchar, domainName varchar)`
			`RETURNS varchar`
			`LANGUAGE plpgsql STRICT AS $$`
			`begin`
			`return roleName('domain', unixUserName \|\| '/' \|\| domainName, 'owner');`
			`end; $$;`

			`CREATE OR REPLACE FUNCTION domainAdmin(unixUserName varchar, domainName varchar)`
			`RETURNS varchar`
			`LANGUAGE plpgsql STRICT AS $$`
			`begin`
			`return roleName('domain', unixUserName \|\| '/' \|\| domainName, 'admin');`
			`end; $$;`

			`CREATE OR REPLACE FUNCTION domainTenant(unixUserName varchar, domainName varchar)`
			`RETURNS varchar`
			`LANGUAGE plpgsql STRICT AS $$`
			`begin`
			`return roleName('domain', unixUserName \|\| '/' \|\| domainName, 'tenant');`
			`end; $$;`


removing JHipster 2022-07-22 13:31:37 +02:00			`CREATE OR REPLACE FUNCTION createRbacRulesForDomain()`
			`RETURNS trigger`
			`LANGUAGE plpgsql STRICT AS $$`
			`DECLARE`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`parentUser unixuser;`
			`domainOwnerRoleUuid uuid;`
			`domainAdminRoleUuid uuid;`
removing JHipster 2022-07-22 13:31:37 +02:00			`BEGIN`
			`IF TG_OP <> 'INSERT' THEN`
			`RAISE EXCEPTION 'invalid usage of TRIGGER AFTER INSERT';`
			`END IF;`

			`SELECT * FROM unixuser WHERE uuid=NEW.unixUserUuid into parentUser;`

improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`-- a domain owner role is created and assigned to the unixuser's admin role`
			`domainOwnerRoleUuid = createRole(`
			`domainOwner(parentUser.name, NEW.name),`
			`grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['*']),`
			`beneathRole(unixUserAdmin(parentUser.name))`
			`);`

			`-- a domain admin role is created and assigned to the domain's owner role`
			`domainAdminRoleUuid = createRole(`
			`domainAdmin(parentUser.name, NEW.name),`
			`grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['edit', 'add-emailaddress']),`
			`beneathRole(domainOwnerRoleUuid)`
			`);`

			`-- and a domain tenant role is created and assigned to the domain's admiin role`
			`perform createRole(`
			`domainTenant(parentUser.name, NEW.name),`
			`grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['*']),`
			`beneathRole(domainAdminRoleUuid),`
			`beingItselfA(createUnixUserTenantRoleIfNotExists(parentUser))`
			`);`
removing JHipster 2022-07-22 13:31:37 +02:00
			`RETURN NEW;`
			`END; $$;`

			`DROP TRIGGER IF EXISTS createRbacRulesForDomain_Trigger ON Domain;`
			`CREATE TRIGGER createRbacRulesForDomain_Trigger`
			`AFTER INSERT ON Domain`
			`FOR EACH ROW EXECUTE PROCEDURE createRbacRulesForDomain();`

			`-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForDomain()`


			`-- create RBAC restricted view`

			`SET SESSION SESSION AUTHORIZATION DEFAULT;`
			`ALTER TABLE Domain ENABLE ROW LEVEL SECURITY;`
			`DROP VIEW IF EXISTS domain_rv;`
			`CREATE OR REPLACE VIEW domain_rv AS`
			`SELECT DISTINCT target.*`
			`FROM Domain AS target`
RbacGrants with follow=false for customer.owner to customer.admin 2022-07-22 16:52:49 +02:00			`JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'domain', currentSubjectIds()) AS allowedObjId`
removing JHipster 2022-07-22 13:31:37 +02:00			`ON target.uuid = allowedObjId;`
			`GRANT ALL PRIVILEGES ON domain_rv TO restricted;`


			`-- generate Domain test data`

			`DO LANGUAGE plpgsql $$`
			`DECLARE`
			`uu unixuser;`
			`pac package;`
			`pacAdmin varchar;`
			`currentTask varchar;`
			`BEGIN`
			`SET hsadminng.currentUser TO '';`

			`FOR uu IN (SELECT * FROM unixuser) LOOP`
			`IF ( random() < 0.3 ) THEN`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`FOR t IN 0..1 LOOP`
removing JHipster 2022-07-22 13:31:37 +02:00			`currentTask = 'creating RBAC test Domain #' \|\| t \|\| ' for UnixUser ' \|\| uu.name\|\| ' #' \|\| uu.uuid;`
			`RAISE NOTICE 'task: %', currentTask;`

			`SELECT * FROM package WHERE uuid=uu.packageUuid INTO pac;`
			`pacAdmin = 'admin@' \|\| pac.name \|\| '.example.com';`
			`SET LOCAL hsadminng.currentUser TO pacAdmin;`
			`SET LOCAL hsadminng.assumedRoles = '';`
			`SET LOCAL hsadminng.currentTask TO currentTask;`

			`INSERT INTO Domain (name, unixUserUuid)`
improved role structure including comprised tenant sub roles 2022-07-25 16:38:21 +02:00			`VALUES ('dom-' \|\| t \|\| '.' \|\| uu.name \|\| '.example.org' , uu.uuid);`
removing JHipster 2022-07-22 13:31:37 +02:00
			`COMMIT;`
			`END LOOP;`
			`END IF;`
			`END LOOP;`

			`END;`
			`$$;`