rename table rbac.grants -> rbac.grant for consistent naming
This commit is contained in:
Michael Hoennig
parent
71be87b36b
commit
1afa5ea434
@ -1,7 +1,6 @@
|
||||
package net.hostsharing.hsadminng.hs.office.person;
|
||||
|
||||
import lombok.*;
|
||||
import lombok.experimental.FieldNameConstants;
|
||||
import lombok.experimental.SuperBuilder;
|
||||
import net.hostsharing.hsadminng.errors.DisplayAs;
|
||||
import net.hostsharing.hsadminng.rbac.generator.RbacSpec;
|
||||
@ -22,7 +21,6 @@ import static net.hostsharing.hsadminng.rbac.generator.RbacSpec.rbacViewFor;
|
||||
@Setter
|
||||
@NoArgsConstructor
|
||||
@SuperBuilder(toBuilder = true)
|
||||
@FieldNameConstants
|
||||
@DisplayAs("RbacPerson")
|
||||
public class HsOfficePersonRbacEntity extends HsOfficePerson<HsOfficePersonRbacEntity> {
|
||||
|
||||
|
||||
@ -54,18 +54,18 @@ class RbacRbacSystemRebuildGenerator {
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM ${rawTableName} LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL ${rawTableName}_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -112,7 +112,7 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
begin
|
||||
|
||||
if ${updateConditions} then
|
||||
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid;
|
||||
delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid;
|
||||
call ${rawTableQualifiedName}_build_rbac_system(NEW);
|
||||
end if;
|
||||
end; $$;
|
||||
|
||||
@ -12,7 +12,7 @@ import java.util.List;
|
||||
import java.util.UUID;
|
||||
|
||||
@Entity
|
||||
@Table(schema = "rbac", name = "grants_ev")
|
||||
@Table(schema = "rbac", name = "grant_ev")
|
||||
@Getter
|
||||
@Setter
|
||||
@Builder
|
||||
|
||||
@ -8,7 +8,7 @@ import jakarta.persistence.*;
|
||||
import java.util.UUID;
|
||||
|
||||
@Entity
|
||||
@Table(schema = "rbac", name = "grants_rv")
|
||||
@Table(schema = "rbac", name = "grant_rv")
|
||||
@IdClass(RbacGrantId.class)
|
||||
@Getter
|
||||
@Setter
|
||||
|
||||
@ -360,7 +360,7 @@ create or replace function rbac.delete_grants_of_role_tf()
|
||||
strict as $$
|
||||
begin
|
||||
if TG_OP = 'DELETE' then
|
||||
delete from rbac.grants g where old.uuid in (g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid);
|
||||
delete from rbac.grant g where old.uuid in (g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid);
|
||||
else
|
||||
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
||||
end if;
|
||||
@ -541,7 +541,7 @@ $$;
|
||||
/*
|
||||
Table to store grants / role- or permission assignments to subjects or roles.
|
||||
*/
|
||||
create table rbac.grants
|
||||
create table rbac.grant
|
||||
(
|
||||
uuid uuid primary key default uuid_generate_v4(),
|
||||
grantedByTriggerOf uuid references rbac.object (uuid) on delete cascade initially deferred ,
|
||||
@ -551,21 +551,21 @@ create table rbac.grants
|
||||
assumed boolean not null default true, -- auto assumed (true) vs. needs assumeRoles (false)
|
||||
unique (ascendantUuid, descendantUuid),
|
||||
constraint rbacGrant_createdBy check ( grantedByRoleUuid is null or grantedByTriggerOf is null) );
|
||||
create index on rbac.grants (ascendantUuid);
|
||||
create index on rbac.grants (descendantUuid);
|
||||
create index on rbac.grant (ascendantUuid);
|
||||
create index on rbac.grant (descendantUuid);
|
||||
|
||||
call base.create_journal('rbac.grants');
|
||||
call base.create_journal('rbac.grant');
|
||||
create or replace function rbac.findGrantees(grantedId uuid)
|
||||
returns setof rbac.reference
|
||||
returns null on null input
|
||||
language sql as $$
|
||||
with recursive grants as (
|
||||
select descendantUuid, ascendantUuid
|
||||
from rbac.grants
|
||||
from rbac.grant
|
||||
where descendantUuid = grantedId
|
||||
union all
|
||||
select g.descendantUuid, g.ascendantUuid
|
||||
from rbac.grants g
|
||||
from rbac.grant g
|
||||
inner join grants on grants.ascendantUuid = g.descendantUuid
|
||||
)
|
||||
select ref.*
|
||||
@ -579,11 +579,11 @@ create or replace function rbac.isGranted(granteeIds uuid[], grantedId uuid)
|
||||
language sql as $$
|
||||
with recursive grants as (
|
||||
select descendantUuid, ascendantUuid
|
||||
from rbac.grants
|
||||
from rbac.grant
|
||||
where descendantUuid = grantedId
|
||||
union all
|
||||
select "grant".descendantUuid, "grant".ascendantUuid
|
||||
from rbac.grants "grant"
|
||||
from rbac.grant "grant"
|
||||
inner join grants recur on recur.ascendantUuid = "grant".descendantUuid
|
||||
)
|
||||
select exists (
|
||||
@ -605,11 +605,11 @@ create or replace function rbac.isPermissionGrantedToSubject(permissionId uuid,
|
||||
language sql as $$
|
||||
with recursive grants as (
|
||||
select descendantUuid, ascendantUuid
|
||||
from rbac.grants
|
||||
from rbac.grant
|
||||
where descendantUuid = permissionId
|
||||
union all
|
||||
select g.descendantUuid, g.ascendantUuid
|
||||
from rbac.grants g
|
||||
from rbac.grant g
|
||||
inner join grants on grants.ascendantUuid = g.descendantUuid
|
||||
)
|
||||
select exists(
|
||||
@ -637,7 +637,7 @@ create or replace function rbac.hasGlobalRoleGranted(forAscendantUuid uuid)
|
||||
language sql as $$
|
||||
select exists(
|
||||
select r.uuid
|
||||
from rbac.grants as g
|
||||
from rbac.grant as g
|
||||
join rbac.role as r on r.uuid = g.descendantuuid
|
||||
join rbac.object as o on o.uuid = r.objectuuid
|
||||
where g.ascendantuuid = forAscendantUuid
|
||||
@ -652,7 +652,7 @@ begin
|
||||
perform rbac.assertReferenceType('permissionId (descendant)', permissionUuid, 'rbac.permission');
|
||||
|
||||
insert
|
||||
into rbac.grants (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed)
|
||||
into rbac.grant (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed)
|
||||
values (rbac.currentTriggerObjectUuid(), roleUuid, permissionUuid, true)
|
||||
on conflict do nothing; -- allow granting multiple times
|
||||
end;
|
||||
@ -676,7 +676,7 @@ begin
|
||||
end if;
|
||||
|
||||
insert
|
||||
into rbac.grants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
|
||||
into rbac.grant (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
|
||||
values (rbac.currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume)
|
||||
on conflict do nothing; -- allow granting multiple times
|
||||
end; $$;
|
||||
@ -704,7 +704,7 @@ begin
|
||||
end if;
|
||||
|
||||
insert
|
||||
into rbac.grants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
|
||||
into rbac.grant (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
|
||||
values (rbac.currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume)
|
||||
on conflict do nothing; -- allow granting multiple times
|
||||
end; $$;
|
||||
@ -722,7 +722,7 @@ begin
|
||||
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
|
||||
|
||||
if (rbac.isGranted(superRoleId, subRoleId)) then
|
||||
delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = subRoleId;
|
||||
delete from rbac.grant where ascendantUuid = superRoleId and descendantUuid = subRoleId;
|
||||
else
|
||||
raise exception 'cannot revoke role % (%) from % (%) because it is not granted',
|
||||
subRole, subRoleId, superRole, superRoleId;
|
||||
@ -743,10 +743,10 @@ begin
|
||||
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
|
||||
|
||||
if (rbac.isGranted(superRoleId, permissionId)) then
|
||||
delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = permissionId;
|
||||
delete from rbac.grant where ascendantUuid = superRoleId and descendantUuid = permissionId;
|
||||
else
|
||||
select p.op, o.objectTable, o.uuid
|
||||
from rbac.grants g
|
||||
from rbac.grant g
|
||||
join rbac.permission p on p.uuid=g.descendantUuid
|
||||
join rbac.object o on o.uuid=p.objectUuid
|
||||
where g.uuid=permissionId
|
||||
@ -777,12 +777,12 @@ begin
|
||||
return query
|
||||
WITH RECURSIVE grants AS (
|
||||
SELECT descendantUuid, ascendantUuid, 1 AS level
|
||||
FROM rbac.grants
|
||||
FROM rbac.grant
|
||||
WHERE assumed
|
||||
AND ascendantUuid = any(subjectIds)
|
||||
UNION ALL
|
||||
SELECT g.descendantUuid, g.ascendantUuid, grants.level + 1 AS level
|
||||
FROM rbac.grants g
|
||||
FROM rbac.grant g
|
||||
INNER JOIN grants ON grants.descendantUuid = g.ascendantUuid
|
||||
WHERE g.assumed
|
||||
),
|
||||
@ -821,11 +821,11 @@ create or replace function rbac.queryPermissionsGrantedToSubjectId(subjectId uui
|
||||
language sql as $$
|
||||
with recursive grants as (
|
||||
select descendantUuid, ascendantUuid
|
||||
from rbac.grants
|
||||
from rbac.grant
|
||||
where ascendantUuid = subjectId
|
||||
union all
|
||||
select g.descendantUuid, g.ascendantUuid
|
||||
from rbac.grants g
|
||||
from rbac.grant g
|
||||
inner join grants on grants.descendantUuid = g.ascendantUuid
|
||||
)
|
||||
select perm.*
|
||||
@ -855,11 +855,11 @@ select *
|
||||
-- @formatter:off
|
||||
with recursive grants as (
|
||||
select descendantUuid, ascendantUuid
|
||||
from rbac.grants
|
||||
from rbac.grant
|
||||
where descendantUuid = objectId
|
||||
union all
|
||||
select "grant".descendantUuid, "grant".ascendantUuid
|
||||
from rbac.grants "grant"
|
||||
from rbac.grant "grant"
|
||||
inner join grants recur on recur.ascendantUuid = "grant".descendantUuid
|
||||
)
|
||||
-- @formatter:on
|
||||
|
||||
@ -28,7 +28,7 @@ begin
|
||||
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');
|
||||
|
||||
insert
|
||||
into rbac.grants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
||||
into rbac.grant (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
||||
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume)
|
||||
-- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception?
|
||||
on conflict do nothing; -- allow granting multiple times
|
||||
@ -61,7 +61,7 @@ begin
|
||||
end if;
|
||||
|
||||
insert
|
||||
into rbac.grants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
||||
into rbac.grant (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
||||
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume);
|
||||
-- TODO.impl: What should happen on multiple grants? What if options (doAssume) are not the same?
|
||||
-- Most powerful or latest grant wins? What about managed?
|
||||
@ -104,8 +104,8 @@ create or replace procedure rbac.revokeRoleFromSubject(grantedByRoleUuid uuid, g
|
||||
begin
|
||||
call rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid, grantedRoleUuid, subjectUuid);
|
||||
|
||||
raise INFO 'delete from rbac.grants where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid;
|
||||
delete from rbac.grants as g
|
||||
raise INFO 'delete from rbac.grant where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid;
|
||||
delete from rbac.grant as g
|
||||
where g.ascendantUuid = subjectUuid and g.descendantUuid = grantedRoleUuid
|
||||
and g.grantedByRoleUuid = revokeRoleFromSubject.grantedByRoleUuid;
|
||||
end; $$;
|
||||
@ -118,8 +118,8 @@ end; $$;
|
||||
create or replace procedure rbac.revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid)
|
||||
language plpgsql as $$
|
||||
begin
|
||||
raise INFO 'delete from rbac.grants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid;
|
||||
delete from rbac.grants as g
|
||||
raise INFO 'delete from rbac.grant where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid;
|
||||
delete from rbac.grant as g
|
||||
where g.ascendantUuid = superRoleUuid and g.descendantUuid = permissionUuid;
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
@ -52,8 +52,8 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME
|
||||
Creates a view to the grants table with additional columns
|
||||
for easier human readability.
|
||||
*/
|
||||
drop view if exists rbac.grants_ev;
|
||||
create or replace view rbac.grants_ev as
|
||||
drop view if exists rbac.grant_ev;
|
||||
create or replace view rbac.grant_ev as
|
||||
-- @formatter:off
|
||||
select x.grantUuid as uuid,
|
||||
x.grantedByTriggerOf as grantedByTriggerOf,
|
||||
@ -85,7 +85,7 @@ create or replace view rbac.grants_ev as
|
||||
) as descendingIdName,
|
||||
dro.objectTable, dro.uuid,
|
||||
dp.op, dp.optablename
|
||||
from rbac.grants as g
|
||||
from rbac.grant as g
|
||||
|
||||
left outer join rbac.role as ar on ar.uuid = g.ascendantUuid
|
||||
left outer join rbac.object as aro on aro.uuid = ar.objectuuid
|
||||
@ -112,7 +112,7 @@ create or replace view rbac.grants_ev as
|
||||
Creates a view to the grants table with row-level limitation
|
||||
based on the direct grants of the current user.
|
||||
*/
|
||||
create or replace view rbac.grants_rv as
|
||||
create or replace view rbac.grant_rv as
|
||||
-- @formatter:off
|
||||
select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
||||
@ -122,7 +122,7 @@ select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid
|
||||
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
|
||||
u.name as userName, o.objecttable, r.objectuuid, r.roletype,
|
||||
rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
from rbac.grants as g
|
||||
from rbac.grant as g
|
||||
join rbac.role as r on r.uuid = g.descendantUuid
|
||||
join rbac.object o on o.uuid = r.objectuuid
|
||||
left outer join rbac.subject u on u.uuid = g.ascendantuuid
|
||||
@ -141,28 +141,28 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
Instead of insert trigger function for rbac.grants_rv.
|
||||
Instead of insert trigger function for rbac.grant_rv.
|
||||
*/
|
||||
create or replace function rbac.insert_grant_tf()
|
||||
returns trigger
|
||||
language plpgsql as $$
|
||||
declare
|
||||
newGrant rbac.grants_rv;
|
||||
newGrant rbac.grant_rv;
|
||||
begin
|
||||
call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed);
|
||||
select grv.*
|
||||
from rbac.grants_rv grv
|
||||
from rbac.grant_rv grv
|
||||
where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid
|
||||
into newGrant;
|
||||
return newGrant;
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
Creates an instead of insert trigger for the rbac.grants_rv view.
|
||||
Creates an instead of insert trigger for the rbac.grant_rv view.
|
||||
*/
|
||||
create trigger insert_grant_tg
|
||||
instead of insert
|
||||
on rbac.grants_rv
|
||||
on rbac.grant_rv
|
||||
for each row
|
||||
execute function rbac.insert_grant_tf();
|
||||
--/
|
||||
@ -173,7 +173,7 @@ execute function rbac.insert_grant_tf();
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
Instead of delete trigger function for rbac.grants_rv.
|
||||
Instead of delete trigger function for rbac.grant_rv.
|
||||
|
||||
Checks if the current subject or assumed role have the permission to revoke the grant.
|
||||
*/
|
||||
@ -186,11 +186,11 @@ begin
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
Creates an instead of delete trigger for the rbac.grants_rv view.
|
||||
Creates an instead of delete trigger for the rbac.grant_rv view.
|
||||
*/
|
||||
create trigger delete_grant_tg
|
||||
instead of delete
|
||||
on rbac.grants_rv
|
||||
on rbac.grant_rv
|
||||
for each row
|
||||
execute function rbac.delete_grant_tf();
|
||||
--/
|
||||
@ -210,7 +210,7 @@ select distinct *
|
||||
from (
|
||||
select usersInRolesOfcurrentSubject.*
|
||||
from rbac.subject as usersInRolesOfcurrentSubject
|
||||
join rbac.grants as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid
|
||||
join rbac.grant as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid
|
||||
join rbac.role_ev as r on r.uuid = g.descendantuuid
|
||||
union
|
||||
select users.*
|
||||
@ -235,7 +235,7 @@ create or replace view rbac.subject_rv as
|
||||
from (
|
||||
select usersInRolesOfcurrentSubject.*
|
||||
from rbac.subject as usersInRolesOfcurrentSubject
|
||||
join rbac.grants as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid
|
||||
join rbac.grant as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid
|
||||
join rbac.role_rv as r on r.uuid = g.descendantuuid
|
||||
union
|
||||
select users.*
|
||||
@ -329,7 +329,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid,
|
||||
(r.objecttable || ':' || r.objectidname || ':' || r.roletype) as roleName, p.op,
|
||||
o.objecttable, r.objectidname, o.uuid as objectuuid
|
||||
from rbac.role_rv r
|
||||
join rbac.grants g on g.ascendantuuid = r.uuid
|
||||
join rbac.grant g on g.ascendantuuid = r.uuid
|
||||
join rbac.permission p on p.uuid = g.descendantuuid
|
||||
join rbac.object o on o.uuid = p.objectuuid;
|
||||
grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
||||
@ -369,7 +369,7 @@ begin
|
||||
rbac.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
|
||||
po.uuid as permissionObjectUuid
|
||||
from rbac.queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p
|
||||
join rbac.grants as g on g.descendantUuid = p.uuid
|
||||
join rbac.grant as g on g.descendantUuid = p.uuid
|
||||
join rbac.object as po on po.uuid = p.objectUuid
|
||||
join rbac.role_rv as r on r.uuid = g.ascendantUuid
|
||||
join rbac.object as ro on ro.uuid = r.objectUuid
|
||||
|
||||
@ -193,19 +193,19 @@ begin
|
||||
with accessible_uuids as (
|
||||
with recursive
|
||||
recursive_grants as
|
||||
(select distinct rbac.grants.descendantuuid,
|
||||
rbac.grants.ascendantuuid,
|
||||
(select distinct rbac.grant.descendantuuid,
|
||||
rbac.grant.ascendantuuid,
|
||||
1 as level,
|
||||
true
|
||||
from rbac.grants
|
||||
where rbac.grants.assumed
|
||||
and (rbac.grants.ascendantuuid = any (rbac.currentSubjectOrAssumedRolesUuids()))
|
||||
from rbac.grant
|
||||
where rbac.grant.assumed
|
||||
and (rbac.grant.ascendantuuid = any (rbac.currentSubjectOrAssumedRolesUuids()))
|
||||
union all
|
||||
select distinct g.descendantuuid,
|
||||
g.ascendantuuid,
|
||||
grants.level + 1 as level,
|
||||
base.assertTrue(grants.level < 22, 'too many grant-levels: ' || grants.level)
|
||||
from rbac.grants g
|
||||
from rbac.grant g
|
||||
join recursive_grants grants on grants.descendantuuid = g.ascendantuuid
|
||||
where g.assumed),
|
||||
grant_count AS (
|
||||
|
||||
@ -20,7 +20,7 @@ select no, to_char("count", '9 999 999 999') as "count", "table"
|
||||
from rbac.reference
|
||||
union
|
||||
select 5 as no, count(*) as "count", 'grants' as "table"
|
||||
from rbac.grants
|
||||
from rbac.grant
|
||||
union
|
||||
select 6 as no, count(*) as "count", 'objects' as "table"
|
||||
from rbac.object) as totals
|
||||
|
||||
@ -212,18 +212,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM rbactest.customer LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL rbactest.customer_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -277,18 +277,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM rbactest.package LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL rbactest.package_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -276,18 +276,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM rbactest.domain LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL rbactest.domain_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -136,18 +136,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_office.contact LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_office.contact_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -138,18 +138,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_office.person LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_office.person_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -125,7 +125,7 @@ create or replace procedure hs_office.relation_update_rbac_system(
|
||||
begin
|
||||
|
||||
if NEW.contactUuid is distinct from OLD.contactUuid then
|
||||
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid;
|
||||
delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid;
|
||||
call hs_office.relation_build_rbac_system(NEW);
|
||||
end if;
|
||||
end; $$;
|
||||
@ -286,18 +286,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_office.relation LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_office.relation_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -287,18 +287,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_office.partner LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_office.partner_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -199,18 +199,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_office.partner_details LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_office.partner_details_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -135,18 +135,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_office.bankaccount LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_office.bankaccount_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -101,7 +101,7 @@ begin
|
||||
|
||||
if NEW.debitorRelUuid is distinct from OLD.debitorRelUuid
|
||||
or NEW.refundBankAccountUuid is distinct from OLD.refundBankAccountUuid then
|
||||
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid;
|
||||
delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid;
|
||||
call hs_office.debitor_build_rbac_system(NEW);
|
||||
end if;
|
||||
end; $$;
|
||||
@ -276,18 +276,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_office.debitor LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_office.debitor_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -245,18 +245,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_office.sepamandate LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_office.sepamandate_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -227,18 +227,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_office.membership LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_office.membership_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -198,18 +198,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_office.coopsharetx LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_office.coopsharetx_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -198,18 +198,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_office.coopassettx LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_office.coopassettx_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -238,18 +238,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_booking.project LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_booking.project_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -309,18 +309,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_booking.item LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_booking.item_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -129,7 +129,7 @@ begin
|
||||
|
||||
if NEW.assignedToAssetUuid is distinct from OLD.assignedToAssetUuid
|
||||
or NEW.alarmContactUuid is distinct from OLD.alarmContactUuid then
|
||||
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid;
|
||||
delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid;
|
||||
call hs_hosting.asset_build_rbac_system(NEW);
|
||||
end if;
|
||||
end; $$;
|
||||
@ -215,18 +215,18 @@ DECLARE
|
||||
grantsAfter numeric;
|
||||
grantsBefore numeric;
|
||||
BEGIN
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||
|
||||
FOR row IN SELECT * FROM hs_hosting.asset LOOP
|
||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||
DELETE FROM rbac.grants g
|
||||
DELETE FROM rbac.grant g
|
||||
WHERE g.grantedbytriggerof = row.uuid;
|
||||
|
||||
-- then build the grants according to the currently defined RBAC rules
|
||||
CALL hs_hosting.asset_build_rbac_system(row);
|
||||
END LOOP;
|
||||
|
||||
select count(*) into grantsAfter from rbac.grants;
|
||||
select count(*) into grantsAfter from rbac.grant;
|
||||
|
||||
-- print how the total count of grants has changed
|
||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||
|
||||
@ -295,14 +295,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
|
||||
@Test
|
||||
public void rebuildingTheRbacSystemWitSameRbacSpecDoesNotChangeGrantNorRoleCount() {
|
||||
final var grantCountBefore = sql("SELECT COUNT(*) FROM rbac.grants");
|
||||
final var grantCountBefore = sql("SELECT COUNT(*) FROM rbac.grant");
|
||||
final var roleCountBefore = sql("SELECT COUNT(*) FROM rbac.role");
|
||||
|
||||
jpaAttempt.transacted(() ->
|
||||
em.createNativeQuery("CALL rbactest.package_rebuild_rbac_system()")
|
||||
);
|
||||
|
||||
final var grantCountAfter = sql("SELECT COUNT(*) FROM rbac.grants");
|
||||
final var grantCountAfter = sql("SELECT COUNT(*) FROM rbac.grant");
|
||||
assertThat(grantCountBefore).as("grant count must not change").isEqualTo(grantCountAfter);
|
||||
|
||||
final var roleCountAfter = sql("SELECT COUNT(*) FROM rbac.role");
|
||||
|
||||
Loading…
Reference in New Issue
Block a user