hostsharing/hs.hsadmin.ng
6
0
Fork 0
Code Pull Requests 3 Activity

hs-package SQL-Scripts in Liquibase and some bugfixes

Browse Source
This commit is contained in:
Michael Hoennig 2022-07-29 12:37:40 +02:00
parent 61c50c46ed
commit 2b630aadbc
6 changed files with 181 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
src/main/resources/db/changelog/2022-07-28-005-rbac-base.sql
View File

@ -45,9 +45,12 @@ declare
objectId uuid; objectId uuid;
begin begin
insert insert
into RbacReference (type) values ('RbacUser') returning uuid into objectId; into RbacReference (type)
values ('RbacUser')
returning uuid into objectId;
insert insert
into RbacUser (uuid, name) values (objectid, userName); into RbacUser (uuid, name)
values (objectid, userName);
return objectId; return objectId;
end; end;
$$; $$;
@ -103,7 +106,9 @@ declare
begin begin
if TG_OP = 'INSERT' then if TG_OP = 'INSERT' then
insert insert
into RbacObject (objectTable) values (TG_TABLE_NAME) returning uuid into objectUuid; into RbacObject (objectTable)
values (TG_TABLE_NAME)
returning uuid into objectUuid;
NEW.uuid = objectUuid; NEW.uuid = objectUuid;
return NEW; return NEW;
else else
@ -153,9 +158,12 @@ declare
referenceId uuid; referenceId uuid;
begin begin
insert insert
into RbacReference (type) values ('RbacRole') returning uuid into referenceId; into RbacReference (type)
values ('RbacRole')
returning uuid into referenceId;
insert insert
into RbacRole (uuid, objectUuid, roleType) values (referenceId, roleDescriptor.objectUuid, roleDescriptor.roleType); into RbacRole (uuid, objectUuid, roleType)
values (referenceId, roleDescriptor.objectUuid, roleDescriptor.roleType);
return referenceId; return referenceId;
end; end;
$$; $$;
@ -254,9 +262,12 @@ begin
if (refId is null) then if (refId is null) then
raise notice 'createPermission: % %', forObjectUuid, permitOps[i]; raise notice 'createPermission: % %', forObjectUuid, permitOps[i];
insert insert
into RbacReference ("type") values ('RbacPermission') returning uuid into refId; into RbacReference ("type")
values ('RbacPermission')
returning uuid into refId;
insert insert
into RbacPermission (uuid, objectUuid, op) values (refId, forObjectUuid, permitOps[i]); into RbacPermission (uuid, objectUuid, op)
values (refId, forObjectUuid, permitOps[i]);
end if; end if;
raise notice 'addPermission: %', refId; raise notice 'addPermission: %', refId;
permissionIds = permissionIds || refId; permissionIds = permissionIds || refId;
@ -357,14 +368,16 @@ create or replace procedure grantPermissionsToRole(roleUuid uuid, permissionIds
language plpgsql as $$ language plpgsql as $$
begin begin
raise notice 'grantPermissionsToRole: % -> %', roleUuid, permissionIds; raise notice 'grantPermissionsToRole: % -> %', roleUuid, permissionIds;
if cardinality(permissionIds) = 0 then return; end if;
for i in array_lower(permissionIds, 1)..array_upper(permissionIds, 1) for i in array_lower(permissionIds, 1)..array_upper(permissionIds, 1)
loop loop
perform assertReferenceType('roleId (ascendant)', roleUuid, 'RbacRole'); perform assertReferenceType('roleId (ascendant)', roleUuid, 'RbacRole');
perform assertReferenceType('permissionId (descendant)', permissionIds[i], 'RbacPermission'); perform assertReferenceType('permissionId (descendant)', permissionIds[i], 'RbacPermission');
-- INSERT INTO RbacGrants (ascendantUuid, descendantUuid, apply) VALUES (roleId, permissionIds[i], true); -- assumeV1
insert insert
into RbacGrants (ascendantUuid, descendantUuid) values (roleUuid, permissionIds[i]); into RbacGrants (ascendantUuid, descendantUuid, follow)
values (roleUuid, permissionIds[i], true);
end loop; end loop;
end; end;
$$; $$;
@ -379,7 +392,6 @@ begin
raise exception 'Cyclic role grant detected between % and %', subRoleId, superRoleId; raise exception 'Cyclic role grant detected between % and %', subRoleId, superRoleId;
end if; end if;
-- INSERT INTO RbacGrants (ascendantUuid, descendantUuid, apply) VALUES (superRoleId, subRoleId, doapply); -- assumeV1
insert insert
into RbacGrants (ascendantUuid, descendantUuid, follow) into RbacGrants (ascendantUuid, descendantUuid, follow)
values (superRoleId, subRoleId, doFollow) values (superRoleId, subRoleId, doFollow)
@ -403,10 +415,9 @@ begin
perform assertReferenceType('roleId (ascendant)', roleId, 'RbacRole'); perform assertReferenceType('roleId (ascendant)', roleId, 'RbacRole');
perform assertReferenceType('userId (descendant)', userId, 'RbacUser'); perform assertReferenceType('userId (descendant)', userId, 'RbacUser');
-- INSERT INTO RbacGrants (ascendantUuid, descendantUuid, apply) VALUES (userId, roleId, true); -- assumeV1
insert insert
into RbacGrants (ascendantUuid, descendantUuid) into RbacGrants (ascendantUuid, descendantUuid, follow)
values (userId, roleId) values (userId, roleId, true)
on conflict do nothing; -- TODO: remove? on conflict do nothing; -- TODO: remove?
end; $$; end; $$;
--// --//
@ -646,10 +657,10 @@ end; $$;
--changeset rbac-base-pgsql-roles:1 endDelimiter:--// --changeset rbac-base-pgsql-roles:1 endDelimiter:--//
-- ------------------------------------------------------------------ -- ------------------------------------------------------------------
CREATE ROLE admin; create role admin;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO admin; grant all privileges on all tables in schema public to admin;
CREATE ROLE restricted; create role restricted;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO restricted; grant all privileges on all tables in schema public to restricted;
--// --//

8
src/main/resources/db/changelog/2022-07-28-020-rbac-role-builder.sql
View File

@ -21,6 +21,14 @@ begin
return row (createPermissions(forObjectUuid, permitOps))::RbacPermissions; return row (createPermissions(forObjectUuid, permitOps))::RbacPermissions;
end; $$; end; $$;
create or replace function withoutPermissions()
returns RbacPermissions
language plpgsql
strict as $$
begin
return row (array[]::uuid[]);
end; $$;
--// --//
--changeset rbac-role-builder-super-roles:1 endDelimiter:--// --changeset rbac-role-builder-super-roles:1 endDelimiter:--//

134
src/main/resources/db/changelog/22-hs-packages.sql → src/main/resources/db/changelog/2022-07-29-070-hs-package-rbac.sql
View File

@ -1,22 +1,28 @@
-- ======================================================== --liquibase formatted sql
-- Package example with RBAC
-- --------------------------------------------------------
set session session authorization default; -- ============================================================================
--changeset hs-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
*/
drop trigger if exists createRbacObjectForPackage_Trigger on package;
create trigger createRbacObjectForPackage_Trigger
before insert
on package
for each row
execute procedure createRbacObject();
--//
create table if not exists package
( -- ============================================================================
uuid uuid unique references RbacObject (uuid), --changeset hs-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
name character varying(5), -- ----------------------------------------------------------------------------
customerUuid uuid references customer (uuid)
);
create or replace function packageOwner(pac package) create or replace function packageOwner(pac package)
returns RbacRoleDescriptor returns RbacRoleDescriptor
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
declare
roleDesc RbacRoleDescriptor;
begin begin
return roleDescriptor('package', pac.uuid, 'admin'); return roleDescriptor('package', pac.uuid, 'admin');
end; $$; end; $$;
@ -36,16 +42,16 @@ create or replace function packageTenant(pac package)
begin begin
return roleDescriptor('package', pac.uuid, 'tenant'); return roleDescriptor('package', pac.uuid, 'tenant');
end; $$; end; $$;
--//
drop trigger if exists createRbacObjectForPackage_Trigger on package; -- ============================================================================
create trigger createRbacObjectForPackage_Trigger --changeset hs-package-rbac-ROLES-CREATION:1 endDelimiter:--//
before insert -- ----------------------------------------------------------------------------
on package /*
for each row Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER.
execute procedure createRbacObject(); */
create or replace function createRbacRolesForPackage()
create or replace function createRbacRulesForPackage()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
@ -63,14 +69,14 @@ begin
-- an owner role is created and assigned to the customer's admin role -- an owner role is created and assigned to the customer's admin role
packageOwnerRoleUuid = createRole( packageOwnerRoleUuid = createRole(
packageOwner(NEW), packageOwner(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']), withoutPermissions(),
beneathRole(customerAdmin(parentCustomer)) beneathRole(customerAdmin(parentCustomer))
); );
-- an owner role is created and assigned to the package owner role -- an owner role is created and assigned to the package owner role
packageAdminRoleUuid = createRole( packageAdminRoleUuid = createRole(
packageAdmin(NEW), packageAdmin(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit', 'add-unixuser', 'add-domain']), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-unixuser', 'add-domain']),
beneathRole(packageOwnerRoleUuid) beneathRole(packageOwnerRoleUuid)
); );
@ -85,12 +91,25 @@ begin
return NEW; return NEW;
end; $$; end; $$;
drop trigger if exists createRbacRulesForPackage_Trigger on package; /*
create trigger createRbacRulesForPackage_Trigger An AFTER INSERT TRIGGER which creates the role structure for a new package.
*/
drop trigger if exists createRbacRolesForPackage_Trigger on package;
create trigger createRbacRolesForPackage_Trigger
after insert after insert
on package on package
for each row for each row
execute procedure createRbacRulesForPackage(); execute procedure createRbacRolesForPackage();
--//
-- ============================================================================
--changeset hs-package-rbac-ROLES-REMOVAL:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Deletes the roles and their assignments of a deleted package for the BEFORE DELETE TRIGGER.
*/
create or replace function deleteRbacRulesForPackage() create or replace function deleteRbacRulesForPackage()
returns trigger returns trigger
@ -98,64 +117,39 @@ create or replace function deleteRbacRulesForPackage()
strict as $$ strict as $$
begin begin
if TG_OP = 'DELETE' then if TG_OP = 'DELETE' then
-- TODO call deleteRole(findRoleId(packageOwner(OLD)));
call deleteRole(findRoleId(packageAdmin(OLD)));
call deleteRole(findRoleId(packageTenant(OLD)));
else else
raise exception 'invalid usage of TRIGGER BEFORE DELETE'; raise exception 'invalid usage of TRIGGER BEFORE DELETE';
end if; end if;
end; $$; end; $$;
drop trigger if exists deleteRbacRulesForPackage_Trigger on customer; /*
An BEFORE DELETE TRIGGER which deletes the role structure of a package.
*/
drop trigger if exists deleteRbacRulesForPackage_Trigger on package;
create trigger deleteRbacRulesForPackage_Trigger create trigger deleteRbacRulesForPackage_Trigger
before delete before delete
on customer on package
for each row for each row
execute procedure deleteRbacRulesForPackage(); execute procedure deleteRbacRulesForPackage();
--//
-- create RBAC-restricted view
set session session authorization default; -- ============================================================================
-- ALTER TABLE package ENABLE ROW LEVEL SECURITY; --changeset hs-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates a view to the customer main table which maps the identifying name
(in this case, the prefix) to the objectUuid.
*/
drop view if exists package_rv; drop view if exists package_rv;
create or replace view package_rv as create or replace view package_rv as
select distinct target.* select distinct target.*
from package as target from package as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'package', currentSubjectIds())); where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'package', currentSubjectIds()));
grant all privileges on package_rv to restricted; grant all privileges on package_rv to restricted;
--//
-- generate Package test data
do language plpgsql $$
declare
cust customer;
pacName varchar;
currentTask varchar;
custAdmin varchar;
begin
set hsadminng.currentUser to '';
for cust in (select * from customer)
loop
-- CONTINUE WHEN cust.reference < 18000;
for t in 0..randominrange(1, 2)
loop
pacName = cust.prefix || to_char(t, 'fm00');
currentTask = 'creating RBAC test package #' || pacName || ' for customer ' || cust.prefix || ' #' ||
cust.uuid;
raise notice 'task: %', currentTask;
custAdmin = 'admin@' || cust.prefix || '.example.com';
set local hsadminng.currentUser to custAdmin;
set local hsadminng.assumedRoles = '';
set local hsadminng.currentTask to currentTask;
insert
into package (name, customerUuid)
values (pacName, cust.uuid);
commit;
end loop;
end loop;
end;
$$;

62
src/main/resources/db/changelog/2022-07-29-070-hs-package-test-data.sql Normal file
View File

@ -0,0 +1,62 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-package-TEST-DATA-GENERATOR:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates test data for the package main table.
*/
create or replace procedure createPackageTestData(
minCustomerReference integer, -- skip customers with reference below this
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase
)
language plpgsql as $$
declare
cust customer;
pacName varchar;
currentTask varchar;
custAdmin varchar;
begin
set hsadminng.currentUser to '';
for cust in (select * from customer)
loop
CONTINUE WHEN cust.reference < minCustomerReference;
for t in 0..randominrange(1, 2)
loop
pacName = cust.prefix || to_char(t, 'fm00');
currentTask = 'creating RBAC test package #' || pacName || ' for customer ' || cust.prefix || ' #' ||
cust.uuid;
raise notice 'task: %', currentTask;
custAdmin = 'admin@' || cust.prefix || '.example.com';
set local hsadminng.currentUser to custAdmin;
set local hsadminng.assumedRoles = '';
set local hsadminng.currentTask to currentTask;
insert
into package (name, customerUuid)
values (pacName, cust.uuid);
end loop;
end loop;
if doCommitAfterEach then
commit;
end if;
end;
$$;
--//
-- ============================================================================
--changeset hs-package-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$
begin
call createPackageTestData(0, false);
end;
$$;
--//

13
src/main/resources/db/changelog/2022-07-29-070-hs-package.sql Normal file
View File

@ -0,0 +1,13 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-package-MAIN-TABLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create table if not exists package
(
uuid uuid unique references RbacObject (uuid),
name character varying(5),
customerUuid uuid references customer (uuid)
);
--//

6
src/main/resources/db/changelog/db.changelog-master.yaml
View File

@ -21,5 +21,11 @@ databaseChangeLog:
file: db/changelog/2022-07-29-061-hs-customer-rbac.sql file: db/changelog/2022-07-29-061-hs-customer-rbac.sql
- include: - include:
file: db/changelog/2022-07-29-062-hs-customer-test-data.sql file: db/changelog/2022-07-29-062-hs-customer-test-data.sql
- include:
file: db/changelog/2022-07-29-070-hs-package.sql
- include:
file: db/changelog/2022-07-29-070-hs-package-rbac.sql
- include:
file: db/changelog/2022-07-29-070-hs-package-test-data.sql