add schema-usage to Java-RBAC-Generators and re-generate
This commit is contained in:
Michael Hoennig
parent
64163a4d4c
commit
01399be498
@ -114,7 +114,7 @@ public class InsertTriggerGenerator {
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_${rawSubTable}_grants_after_insert_tg
|
||||
create trigger z_new_${rawSubTableName}_grants_after_insert_tg
|
||||
after insert on ${rawSuperTableWithSchema}
|
||||
for each row
|
||||
execute procedure ${rawSuperTableSchemaName}new_${rawSubTableShortName}_grants_insert_to_${rawSuperTableShortName}_tf();
|
||||
@ -132,6 +132,7 @@ public class InsertTriggerGenerator {
|
||||
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
|
||||
with("rawSuperTableSchemaName", g.getSuperRoleDef().getEntityAlias().getRawTableSchemaPrefix()),
|
||||
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()),
|
||||
with("rawSubTableName", g.getPermDef().getEntityAlias().getRawTableName()),
|
||||
with("rawSubTableShortName", g.getPermDef().getEntityAlias().getRawTableShortName()));
|
||||
|
||||
});
|
||||
@ -154,15 +155,16 @@ public class InsertTriggerGenerator {
|
||||
returns trigger
|
||||
language plpgsql as $$
|
||||
begin
|
||||
raise exception '[403] insert into ${rawSubTable} values(%) not allowed regardless of current subject, no insert permissions granted at all', NEW;
|
||||
raise exception '[403] insert into ${rawSubTableWithSchema} values(%) not allowed regardless of current subject, no insert permissions granted at all', NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger ${rawSubTable}_insert_permission_check_tg
|
||||
before insert on ${rawSubTable}
|
||||
for each row
|
||||
execute procedure ${rawSubTable}_insert_permission_missing_tf();
|
||||
execute procedure ${rawSubTableWithSchema}_insert_permission_missing_tf();
|
||||
""",
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
|
||||
with("rawSubTableWithSchema", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()),
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||
|
||||
plPgSql.writeLn("--//");
|
||||
}
|
||||
@ -258,17 +260,18 @@ public class InsertTriggerGenerator {
|
||||
private void generateInsertPermissionsChecksFooter(final StringWriter plPgSql) {
|
||||
plPgSql.writeLn();
|
||||
plPgSql.writeLn("""
|
||||
raise exception '[403] insert into ${rawSubTable} values(%) not allowed for current subjects % (%)',
|
||||
raise exception '[403] insert into ${rawSubTableWithSchema} values(%) not allowed for current subjects % (%)',
|
||||
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger ${rawSubTable}_insert_permission_check_tg
|
||||
before insert on ${rawSubTable}
|
||||
before insert on ${rawSubTableWithSchema}
|
||||
for each row
|
||||
execute procedure ${rawSubTable}_insert_permission_check_tf();
|
||||
execute procedure ${rawSubTableWithSchema}_insert_permission_check_tf();
|
||||
--//
|
||||
""",
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
|
||||
with("rawSubTableWithSchema", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()),
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||
}
|
||||
|
||||
private String toStringList(final Set<RbacView.CaseDef> cases) {
|
||||
|
||||
@ -17,7 +17,7 @@ public class RbacRoleDescriptorsGenerator {
|
||||
void generateTo(final StringWriter plPgSql) {
|
||||
plPgSql.writeLn("""
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:${liquibaseTagPrefix}-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:${liquibaseTagPrefix}-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('${simpleEntityVarName}', '${rawTableName}');
|
||||
--//
|
||||
|
||||
@ -90,11 +90,11 @@ public class RbacView {
|
||||
* @param <E>
|
||||
* a JPA entity class extending RbacObject
|
||||
*/
|
||||
public static <E extends BaseEntity> RbacView rbacViewFor(final String alias, final Class<E> entityClass) {
|
||||
public static <E extends BaseEntity<?>> RbacView rbacViewFor(final String alias, final Class<E> entityClass) {
|
||||
return new RbacView(alias, entityClass);
|
||||
}
|
||||
|
||||
RbacView(final String alias, final Class<? extends BaseEntity> entityClass) {
|
||||
RbacView(final String alias, final Class<? extends BaseEntity<?>> entityClass) {
|
||||
rootEntityAlias = new EntityAlias(alias, entityClass);
|
||||
entityAliases.put(alias, rootEntityAlias);
|
||||
new RbacSubjectReference(CREATOR);
|
||||
@ -121,7 +121,7 @@ public class RbacView {
|
||||
* <p>An identity view is a view which maps an objectUuid to an idName.
|
||||
* The idName should be a human-readable representation of the row, but as short as possible.
|
||||
* The idName must only consist of letters (A-Z, a-z), digits (0-9), dash (-), dot (.) and unserscore '_'.
|
||||
* It's used to create the object-specific-role-names like test_customer#abc:ADMIN - here 'abc' is the idName.
|
||||
* It's used to create the object-specific-role-names like test.customer#abc:ADMIN - here 'abc' is the idName.
|
||||
* The idName not necessarily unique in a table, but it should be avoided.
|
||||
* </p>
|
||||
*
|
||||
@ -287,9 +287,9 @@ public class RbacView {
|
||||
* @param <EC>
|
||||
* a JPA entity class extending RbacObject
|
||||
*/
|
||||
public <EC extends BaseEntity> RbacView importRootEntityAliasProxy(
|
||||
public <EC extends BaseEntity<?>> RbacView importRootEntityAliasProxy(
|
||||
final String aliasName,
|
||||
final Class<? extends BaseEntity> entityClass,
|
||||
final Class<? extends BaseEntity<?>> entityClass,
|
||||
final ColumnValue forCase,
|
||||
final SQL fetchSql,
|
||||
final Column dependsOnColum) {
|
||||
@ -313,7 +313,7 @@ public class RbacView {
|
||||
* a JPA entity class extending RbacObject
|
||||
*/
|
||||
public RbacView importSubEntityAlias(
|
||||
final String aliasName, final Class<? extends BaseEntity> entityClass,
|
||||
final String aliasName, final Class<? extends BaseEntity<?>> entityClass,
|
||||
final SQL fetchSql, final Column dependsOnColum) {
|
||||
importEntityAliasImpl(aliasName, entityClass, usingDefaultCase(), fetchSql, dependsOnColum, true, NOT_NULL);
|
||||
return this;
|
||||
@ -350,14 +350,14 @@ public class RbacView {
|
||||
* a JPA entity class extending RbacObject
|
||||
*/
|
||||
public RbacView importEntityAlias(
|
||||
final String aliasName, final Class<? extends BaseEntity> entityClass, final ColumnValue usingCase,
|
||||
final String aliasName, final Class<? extends BaseEntity<?>> entityClass, final ColumnValue usingCase,
|
||||
final Column dependsOnColum, final SQL fetchSql, final Nullable nullable) {
|
||||
importEntityAliasImpl(aliasName, entityClass, usingCase, fetchSql, dependsOnColum, false, nullable);
|
||||
return this;
|
||||
}
|
||||
|
||||
private EntityAlias importEntityAliasImpl(
|
||||
final String aliasName, final Class<? extends BaseEntity> entityClass, final ColumnValue usingCase,
|
||||
final String aliasName, final Class<? extends BaseEntity<?>> entityClass, final ColumnValue usingCase,
|
||||
final SQL fetchSql, final Column dependsOnColum, boolean asSubEntity, final Nullable nullable) {
|
||||
|
||||
final var entityAlias = ofNullable(entityAliases.get(aliasName))
|
||||
@ -911,13 +911,13 @@ public class RbacView {
|
||||
return distinctGrantDef;
|
||||
}
|
||||
|
||||
record EntityAlias(String aliasName, Class<? extends BaseEntity> entityClass, ColumnValue usingCase, SQL fetchSql, Column dependsOnColum, boolean isSubEntity, Nullable nullable) {
|
||||
record EntityAlias(String aliasName, Class<? extends BaseEntity<?>> entityClass, ColumnValue usingCase, SQL fetchSql, Column dependsOnColum, boolean isSubEntity, Nullable nullable) {
|
||||
|
||||
public EntityAlias(final String aliasName) {
|
||||
this(aliasName, null, null, null, null, false, null);
|
||||
}
|
||||
|
||||
public EntityAlias(final String aliasName, final Class<? extends BaseEntity> entityClass) {
|
||||
public EntityAlias(final String aliasName, final Class<? extends BaseEntity<?>> entityClass) {
|
||||
this(aliasName, entityClass, null, null, null, false, null);
|
||||
}
|
||||
|
||||
@ -964,7 +964,7 @@ public class RbacView {
|
||||
if ( aliasName.equals("rbac.global")) {
|
||||
return "rbac.global"; // TODO: maybe we should introduce a GlobalEntity class?
|
||||
}
|
||||
return withoutRvSuffix(entityClass.getAnnotation(Table.class).name());
|
||||
return qualifiedRealTableName(entityClass);
|
||||
}
|
||||
|
||||
String getRawTableSchemaPrefix() {
|
||||
@ -1010,8 +1010,12 @@ public class RbacView {
|
||||
}
|
||||
}
|
||||
|
||||
public static String withoutRvSuffix(final String tableName) {
|
||||
return tableName.substring(0, tableName.length() - "_rv".length());
|
||||
public static String qualifiedRealTableName(final Class<? extends BaseEntity<?>> entityClass) {
|
||||
final var tableAnnotation = entityClass.getAnnotation(Table.class);
|
||||
final var schema = tableAnnotation.schema();
|
||||
final var tableName = tableAnnotation.name();
|
||||
final var realTableName = tableName.substring(0, tableName.length() - "_rv".length());
|
||||
return (schema.isEmpty() ? "" : (schema + ".")) + realTableName;
|
||||
}
|
||||
|
||||
public enum Role {
|
||||
|
||||
@ -516,7 +516,7 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
/*
|
||||
AFTER INSERT TRIGGER to create the role+grant structure for a new ${rawTableName} row.
|
||||
*/
|
||||
|
||||
|
||||
create or replace function insertTriggerFor${simpleEntityName}_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
@ -525,7 +525,7 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
call buildRbacSystemFor${simpleEntityName}(NEW);
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
|
||||
create trigger insertTriggerFor${simpleEntityName}_tg
|
||||
after insert on ${rawTableName}
|
||||
for each row
|
||||
|
||||
@ -19,9 +19,11 @@ public class StringWriter {
|
||||
writeLn();
|
||||
}
|
||||
|
||||
void writeLn(final String text, final VarDef... varDefs) {
|
||||
string.append( indented( new VarReplacer(varDefs).apply(text) ));
|
||||
String writeLn(final String text, final VarDef... varDefs) {
|
||||
final var insertText = indented(new VarReplacer(varDefs).apply(text));
|
||||
string.append(insertText);
|
||||
writeLn();
|
||||
return insertText;
|
||||
}
|
||||
|
||||
void writeLn() {
|
||||
|
||||
@ -10,7 +10,7 @@ call rbac.generateRelatedRbacObject('test_customer');
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:test-customer-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:test-customer-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('testCustomer', 'test_customer');
|
||||
--//
|
||||
|
||||
@ -10,7 +10,7 @@ call rbac.generateRelatedRbacObject('test_package');
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:test-package-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:test-package-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('testPackage', 'test_package');
|
||||
--//
|
||||
|
||||
@ -10,7 +10,7 @@ call rbac.generateRelatedRbacObject('test_domain');
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:test-domain-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:test-domain-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('testDomain', 'test_domain');
|
||||
--//
|
||||
|
||||
@ -10,7 +10,7 @@ call rbac.generateRelatedRbacObject('hs_office_person');
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:hs-office-person-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:hs-office-person-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('hsOfficePerson', 'hs_office_person');
|
||||
--//
|
||||
|
||||
@ -10,7 +10,7 @@ call rbac.generateRelatedRbacObject('hs_office_partner');
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:hs-office-partner-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:hs-office-partner-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('hsOfficePartner', 'hs_office_partner');
|
||||
--//
|
||||
|
||||
@ -10,7 +10,7 @@ call rbac.generateRelatedRbacObject('hs_office_partner_details');
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:hs-office-partner-details-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:hs-office-partner-details-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('hsOfficePartnerDetails', 'hs_office_partner_details');
|
||||
--//
|
||||
|
||||
@ -10,7 +10,7 @@ call rbac.generateRelatedRbacObject('hs_office_bankaccount');
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:hs-office-bankaccount-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:hs-office-bankaccount-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('hsOfficeBankAccount', 'hs_office_bankaccount');
|
||||
--//
|
||||
|
||||
@ -10,7 +10,7 @@ call rbac.generateRelatedRbacObject('hs_office_debitor');
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:hs-office-debitor-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:hs-office-debitor-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('hsOfficeDebitor', 'hs_office_debitor');
|
||||
--//
|
||||
|
||||
@ -10,7 +10,7 @@ call rbac.generateRelatedRbacObject('hs_office_sepamandate');
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:hs-office-sepamandate-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:hs-office-sepamandate-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('hsOfficeSepaMandate', 'hs_office_sepamandate');
|
||||
--//
|
||||
|
||||
@ -10,7 +10,7 @@ call rbac.generateRelatedRbacObject('hs_office_membership');
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:hs-office-membership-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:hs-office-membership-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('hsOfficeMembership', 'hs_office_membership');
|
||||
--//
|
||||
|
||||
@ -10,7 +10,7 @@ call rbac.generateRelatedRbacObject('hs_office_coopsharestransaction');
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:hs-office-coopsharestransaction-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:hs-office-coopsharestransaction-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('hsOfficeCoopSharesTransaction', 'hs_office_coopsharestransaction');
|
||||
--//
|
||||
|
||||
@ -10,7 +10,7 @@ call rbac.generateRelatedRbacObject('hs_office_coopassetstransaction');
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescirptorsGenerator:hs-office-coopassetstransaction-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:hs-office-coopassetstransaction-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction');
|
||||
--//
|
||||
|
||||
Loading…
Reference in New Issue
Block a user