From 12d74a75cae675221e5d303b86c52d0781ff6a7b Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Fri, 20 Sep 2024 12:21:58 +0200 Subject: [PATCH] create or replace function base.findObjectUuidByIdName(objectTable varchar, objectIdName varchar) create or replace function base.findObjectUuidByIdName(objectTable varchar, objectIdName varchar) create or replace function base.findObjectUuidByIdName(objectTable varchar, objectIdName varchar) move findObjectUuidByIdName+findIdNameByObjectUuid from base to rbac and related naming issues --- .../db/changelog/0-base/010-context.sql | 39 ---------------- .../db/changelog/1-rbac/1050-rbac-base.sql | 46 ++++++++++++++++++- .../db/changelog/1-rbac/1054-rbac-context.sql | 2 +- .../db/changelog/1-rbac/1055-rbac-views.sql | 22 ++++----- .../changelog/1-rbac/1058-rbac-generators.sql | 4 +- .../db/changelog/1-rbac/1080-rbac-global.sql | 8 ++-- 6 files changed, 63 insertions(+), 58 deletions(-) diff --git a/src/main/resources/db/changelog/0-base/010-context.sql b/src/main/resources/db/changelog/0-base/010-context.sql index 6340850b..abafe3b6 100644 --- a/src/main/resources/db/changelog/0-base/010-context.sql +++ b/src/main/resources/db/changelog/0-base/010-context.sql @@ -168,45 +168,6 @@ begin return cleanIdentifier; end; $$; -create or replace function base.findObjectUuidByIdName(objectTable varchar, objectIdName varchar) - returns uuid - returns null on null input - language plpgsql as $$ -declare - sql varchar; - uuid uuid; -begin - objectTable := base.pureIdentifier(objectTable); - objectIdName := base.pureIdentifier(objectIdName); - sql := format('select * from %sUuidByIdName(%L);', objectTable, objectIdName); - begin - execute sql into uuid; - exception - when others then - raise exception 'function %UuidByIdName(...) not found, add identity view support for table %', objectTable, objectTable; - end; - return uuid; -end ; $$; - -create or replace function base.findIdNameByObjectUuid(objectTable varchar, objectUuid uuid) - returns varchar - returns null on null input - language plpgsql as $$ -declare - sql varchar; - idName varchar; -begin - objectTable := base.pureIdentifier(objectTable); - sql := format('select * from %sIdNameByUuid(%L::uuid);', objectTable, objectUuid); - begin - execute sql into idName; - exception - when others then - raise exception 'function %IdNameByUuid(...) not found, add identity view support for table %', objectTable, objectTable; - end; - return idName; -end ; $$; - create or replace function base.currentSubjects() returns varchar(1023)[] stable -- leakproof diff --git a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql index 6a403e08..82c43238 100644 --- a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql +++ b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql @@ -233,6 +233,50 @@ $$; --// +-- ============================================================================ +--changeset michael.hoennig:rbac-base-IDNAME-FUNCTIONS endDelimiter:--// +-- ---------------------------------------------------------------------------- +create or replace function rbac.findObjectUuidByIdName(objectTable varchar, objectIdName varchar) + returns uuid + returns null on null input + language plpgsql as $$ +declare + sql varchar; + uuid uuid; +begin + objectTable := base.pureIdentifier(objectTable); + objectIdName := base.pureIdentifier(objectIdName); + sql := format('select * from %s_uuid_by_id_name(%L);', objectTable, objectIdName); + begin + execute sql into uuid; + exception + when others then + raise exception 'function %_uuid_by_id_name(...) not found, add identity view support for table %', objectTable, objectTable; + end; + return uuid; +end ; $$; + +create or replace function rbac.findIdNameByObjectUuid(objectTable varchar, objectUuid uuid) + returns varchar + returns null on null input + language plpgsql as $$ +declare + sql varchar; + idName varchar; +begin + objectTable := base.pureIdentifier(objectTable); + sql := format('select * from %s_id_name_by_uuid(%L::uuid);', objectTable, objectUuid); + begin + execute sql into idName; + exception + when others then + raise exception 'function %_id_name_by_uuid(...) not found, add identity view support for table %', objectTable, objectTable; + end; + return idName; +end ; $$; +--// + + -- ============================================================================ --changeset michael.hoennig:rbac-base-ROLE-FUNCTIONS endDelimiter:--// -- ---------------------------------------------------------------------------- @@ -262,7 +306,7 @@ begin objectTableFromRoleIdName = split_part(roleParts, '#', 1); objectNameFromRoleIdName = split_part(roleParts, '#', 2); roleTypeFromRoleIdName = split_part(roleParts, '#', 3); - objectUuidOfRole = base.findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName); + objectUuidOfRole = rbac.findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName); select uuid from rbac.role diff --git a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql index afede6ac..892b5933 100644 --- a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql +++ b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql @@ -55,7 +55,7 @@ begin objectNameToAssume = split_part(roleNameParts, '#', 2); roleTypeToAssume = split_part(roleNameParts, '#', 3); - objectUuidToAssume = base.findObjectUuidByIdName(objectTableToAssume, objectNameToAssume); + objectUuidToAssume = rbac.findObjectUuidByIdName(objectTableToAssume, objectNameToAssume); if objectUuidToAssume is null then raise exception '[401] object % cannot be found in table % (from roleNameParts=%)', objectNameToAssume, objectTableToAssume, roleNameParts; end if; diff --git a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql index e1ea0c1e..c68099dc 100644 --- a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql +++ b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql @@ -13,7 +13,7 @@ select (objectTable || '#' || objectIdName || ':' || roleType) as roleIdName, * -- @formatter:off from ( select r.*, - o.objectTable, base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName + o.objectTable, rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName from rbac.role as r join rbac.object as o on o.uuid = r.objectuuid ) as unordered @@ -34,7 +34,7 @@ select * -- @formatter:off from ( select r.*, o.objectTable, - base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName + rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName from rbac.role as r join rbac.object as o on o.uuid = r.objectuuid where rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), r.uuid) @@ -57,7 +57,7 @@ create or replace view rbac.grants_ev as -- @formatter:off select x.grantUuid as uuid, x.grantedByTriggerOf as grantedByTriggerOf, - go.objectTable || '#' || base.findIdNameByObjectUuid(go.objectTable, go.uuid) || ':' || r.roletype as grantedByRoleIdName, + go.objectTable || '#' || rbac.findIdNameByObjectUuid(go.objectTable, go.uuid) || ':' || r.roletype as grantedByRoleIdName, x.ascendingIdName as ascendantIdName, x.descendingIdName as descendantIdName, x.grantedByRoleUuid, @@ -72,15 +72,15 @@ create or replace view rbac.grants_ev as coalesce( 'user:' || au.name, - 'role:' || aro.objectTable || '#' || base.findIdNameByObjectUuid(aro.objectTable, aro.uuid) || ':' || ar.roletype + 'role:' || aro.objectTable || '#' || rbac.findIdNameByObjectUuid(aro.objectTable, aro.uuid) || ':' || ar.roletype ) as ascendingIdName, aro.objectTable, aro.uuid, ( case when dro is not null - then ('role:' || dro.objectTable || '#' || base.findIdNameByObjectUuid(dro.objectTable, dro.uuid) || ':' || dr.roletype) + then ('role:' || dro.objectTable || '#' || rbac.findIdNameByObjectUuid(dro.objectTable, dro.uuid) || ':' || dr.roletype) when dp.op = 'INSERT' - then 'perm:' || dpo.objecttable || '#' || base.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op || '>' || dp.opTableName - else 'perm:' || dpo.objecttable || '#' || base.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op + then 'perm:' || dpo.objecttable || '#' || rbac.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op || '>' || dp.opTableName + else 'perm:' || dpo.objecttable || '#' || rbac.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op end ) as descendingIdName, dro.objectTable, dro.uuid, @@ -114,14 +114,14 @@ create or replace view rbac.grants_ev as */ create or replace view rbac.grants_rv as -- @formatter:off -select o.objectTable || '#' || base.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName, +select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName, g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed, g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid, g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType from ( select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed, u.name as userName, o.objecttable, r.objectuuid, r.roletype, - base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName + rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName from rbac.grants as g join rbac.role as r on r.uuid = g.descendantUuid join rbac.object o on o.uuid = r.objectuuid @@ -363,10 +363,10 @@ begin xp.permissionObjectTable, xp.permissionObjectIdName, xp.permissionObjectUuid from (select r.uuid as roleUuid, r.roletype, ro.objectTable as roleObjectTable, - base.findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName, + rbac.findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName, p.uuid as permissionUuid, p.op, p.opTableName, po.objecttable as permissionObjectTable, - base.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName, + rbac.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName, po.uuid as permissionObjectUuid from rbac.queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p join rbac.grants as g on g.descendantUuid = p.uuid diff --git a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql index 852a023e..b8af04f4 100644 --- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql +++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql @@ -130,7 +130,7 @@ begin -- creates a function which maps an idName to the objectUuid sql = format($sql$ - create or replace function %1$sUuidByIdName(givenIdName varchar) + create or replace function %1$s_uuid_by_id_name(givenIdName varchar) returns uuid language plpgsql as $f$ declare @@ -144,7 +144,7 @@ begin -- creates a function which maps an objectUuid to the related idName sql = format($sql$ - create or replace function %1$sIdNameByUuid(givenUuid uuid) + create or replace function %1$s_id_name_by_uuid(givenUuid uuid) returns varchar language sql strict as $f$ diff --git a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql index a5514401..51cdb6c2 100644 --- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql +++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql @@ -66,21 +66,21 @@ grant all privileges on rbac.global_iv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNA /* Returns the objectUuid for a given identifying name (in this case the idName). */ -create or replace function rbac.globalUuidByIdName(idName varchar) +create or replace function rbac.global_uuid_by_id_name(idName varchar) returns uuid language sql strict as $$ -select uuid from rbac.global_iv iv where iv.idName = globalUuidByIdName.idName; +select uuid from rbac.global_iv iv where iv.idName = global_uuid_by_id_name.idName; $$; /* Returns the identifying name for a given objectUuid (in this case the idName). */ -create or replace function rbac.globalIdNameByUuid(uuid uuid) +create or replace function rbac.global_id_name_by_uuid(uuid uuid) returns varchar language sql strict as $$ -select idName from rbac.global_iv iv where iv.uuid = globalIdNameByUuid.uuid; +select idName from rbac.global_iv iv where iv.uuid = global_id_name_by_uuid.uuid; $$; --//