From 2cae17a0455e02a24f4d31f559d77c3c2184957b Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Fri, 16 Sep 2022 16:14:39 +0200 Subject: [PATCH] introduces generateRbacIdentityView to generate identity views --- .../db/changelog/058-rbac-generators.sql | 43 +++++++++++++++++++ .../db/changelog/113-test-customer-rbac.sql | 34 ++------------- .../db/changelog/123-test-package-rbac.sql | 35 ++------------- .../db/changelog/133-test-domain-rbac.sql | 35 ++------------- .../changelog/203-hs-office-contact-rbac.sql | 32 ++------------ .../changelog/213-hs-office-person-rbac.sql | 33 ++------------ .../changelog/223-hs-office-partner-rbac.sql | 41 +++--------------- 7 files changed, 63 insertions(+), 190 deletions(-) diff --git a/src/main/resources/db/changelog/058-rbac-generators.sql b/src/main/resources/db/changelog/058-rbac-generators.sql index fa23989a..f15cac68 100644 --- a/src/main/resources/db/changelog/058-rbac-generators.sql +++ b/src/main/resources/db/changelog/058-rbac-generators.sql @@ -70,3 +70,46 @@ begin execute sql; end; $$; --// + + +-- ============================================================================ +--changeset rbac-generators-IDENTITY-VIEW:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- + +create or replace procedure generateRbacIdentityView(targetTable text, idNameExpression text) + language plpgsql as $$ +declare + sql text; +begin + -- create a view to the target main table which maps an idName to the objectUuid + sql = format($sql$ + create or replace view %1$s_iv as + select target.uuid, cleanIdentifier(%2$s) as idName + from %1$s as target; + grant all privileges on %1$s_iv to restricted; + $sql$, targetTable, idNameExpression); + execute sql; + + -- creates a function which maps an idName to the objectUuid + sql = format($sql$ + create or replace function %1$sUuidByIdName(givenIdName varchar) + returns uuid + language sql + strict as $f$ + select uuid from %1$s_iv iv where iv.idName = givenIdName; + $f$; + $sql$, targetTable); + execute sql; + + -- creates a function which maps an objectUuid to the related idName + sql = format($sql$ + create or replace function %1$sIdNameByUuid(givenUuid uuid) + returns varchar + language sql + strict as $f$ + select idName from %1$s_iv iv where iv.uuid = givenUuid; + $f$; + $sql$, targetTable); + execute sql; +end; $$; +--// diff --git a/src/main/resources/db/changelog/113-test-customer-rbac.sql b/src/main/resources/db/changelog/113-test-customer-rbac.sql index 380894d7..fb4b1dff 100644 --- a/src/main/resources/db/changelog/113-test-customer-rbac.sql +++ b/src/main/resources/db/changelog/113-test-customer-rbac.sql @@ -78,37 +78,9 @@ execute procedure createRbacRolesForTestCustomer(); -- ============================================================================ --changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- - -/* - Creates a view to the customer main table which maps the identifying name - (in this case, the prefix) to the objectUuid. - */ -drop view if exists test_customer_iv; -create or replace view test_customer_iv as -select target.uuid, target.prefix as idName - from test_customer as target; --- TODO.spec: Is it ok that everybody has access to this information? -grant all privileges on test_customer_iv to restricted; - -/* - Returns the objectUuid for a given identifying name (in this case the prefix). - */ -create or replace function test_customerUuidByIdName(idName varchar) - returns uuid - language sql - strict as $$ -select uuid from test_customer_iv iv where iv.idName = test_customerUuidByIdName.idName; -$$; - -/* - Returns the identifying name for a given objectUuid (in this case the prefix). - */ -create or replace function test_customerIdNameByUuid(uuid uuid) - returns varchar - language sql - strict as $$ -select idName from test_customer_iv iv where iv.uuid = test_customerIdNameByUuid.uuid; -$$; +call generateRbacIdentityView('test_customer', $idName$ + target.prefix + $idName$); --// diff --git a/src/main/resources/db/changelog/123-test-package-rbac.sql b/src/main/resources/db/changelog/123-test-package-rbac.sql index 585fb6e4..473a185d 100644 --- a/src/main/resources/db/changelog/123-test-package-rbac.sql +++ b/src/main/resources/db/changelog/123-test-package-rbac.sql @@ -76,38 +76,9 @@ execute procedure createRbacRolesForTestPackage(); -- ============================================================================ --changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- - -/* - Creates a view to the package main table which maps the identifying name - (in this case, actually the column `name`) to the objectUuid. - */ -drop view if exists test_package_iv; -create or replace view test_package_iv as -select distinct target.uuid, target.name as idName - from test_package as target; --- TODO: Is it ok that everybody has access to this information? -grant all privileges on test_package_iv to restricted; - -/* - Returns the objectUuid for a given identifying name (in this case, actually the column `name`). - */ -create or replace function test_packageUuidByIdName(idName varchar) - returns uuid - language sql - strict as $$ -select uuid from test_package_iv iv where iv.idName = test_packageUuidByIdName.idName; -$$; - -/* - Returns the identifying name for a given objectUuid (in this case the name). - */ -create or replace function test_packageIdNameByUuid(uuid uuid) - returns varchar - stable leakproof - language sql - strict as $$ -select idName from test_package_iv iv where iv.uuid = test_packageIdNameByUuid.uuid; -$$; +call generateRbacIdentityView('test_package', $idName$ + target.name + $idName$); --// diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.sql b/src/main/resources/db/changelog/133-test-domain-rbac.sql index 5d7158b4..0774ef05 100644 --- a/src/main/resources/db/changelog/133-test-domain-rbac.sql +++ b/src/main/resources/db/changelog/133-test-domain-rbac.sql @@ -93,38 +93,9 @@ execute procedure createRbacRulesForTestDomain(); -- ============================================================================ --changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- - -/* - Creates a view to the domain main table which maps the identifying name - (in this case, actually the column `name`) to the objectUuid. - */ -drop view if exists test_domain_iv; -create or replace view test_domain_iv as -select distinct target.uuid, target.name as idName - from test_domain as target; --- TODO.spec: Is it ok that everybody has access to this information? -grant all privileges on test_domain_iv to restricted; - -/* - Returns the objectUuid for a given identifying name (in this case, actually the column `name`). - */ -create or replace function test_domainUuidByIdName(idName varchar) - returns uuid - language sql - strict as $$ -select uuid from test_domain_iv iv where iv.idName = test_domainUuidByIdName.idName; -$$; - -/* - Returns the identifying name for a given objectUuid (in this case the name). - */ -create or replace function test_domainIdNameByUuid(uuid uuid) - returns varchar - stable leakproof - language sql - strict as $$ -select idName from test_domain_iv iv where iv.uuid = test_domainIdNameByUuid.uuid; -$$; +call generateRbacIdentityView('test_domain', $idName$ + target.name + $idName$); --// diff --git a/src/main/resources/db/changelog/203-hs-office-contact-rbac.sql b/src/main/resources/db/changelog/203-hs-office-contact-rbac.sql index f2f4516c..0502b2ba 100644 --- a/src/main/resources/db/changelog/203-hs-office-contact-rbac.sql +++ b/src/main/resources/db/changelog/203-hs-office-contact-rbac.sql @@ -77,35 +77,9 @@ execute procedure createRbacRolesForHsOfficeContact(); --changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -/* - Creates a view to the contact main table which maps the identifying name - (in this case, the prefix) to the objectUuid. - */ -create or replace view hs_office_contact_iv as -select target.uuid, cleanIdentifier(target.label) as idName - from hs_office_contact as target; --- TODO.spec: Is it ok that everybody has access to this information? -grant all privileges on hs_office_contact_iv to restricted; - -/* - Returns the objectUuid for a given identifying name (in this case the prefix). - */ -create or replace function hs_office_contactUuidByIdName(idName varchar) - returns uuid - language sql - strict as $$ -select uuid from hs_office_contact_iv iv where iv.idName = hs_office_contactUuidByIdName.idName; -$$; - -/* - Returns the identifying name for a given objectUuid (in this case the label). - */ -create or replace function hs_office_contactIdNameByUuid(uuid uuid) - returns varchar - language sql - strict as $$ -select idName from hs_office_contact_iv iv where iv.uuid = hs_office_contactIdNameByUuid.uuid; -$$; +call generateRbacIdentityView('hs_office_contact', $idName$ + target.label + $idName$); --// diff --git a/src/main/resources/db/changelog/213-hs-office-person-rbac.sql b/src/main/resources/db/changelog/213-hs-office-person-rbac.sql index c7ab28ea..a9fbe4a0 100644 --- a/src/main/resources/db/changelog/213-hs-office-person-rbac.sql +++ b/src/main/resources/db/changelog/213-hs-office-person-rbac.sql @@ -76,36 +76,9 @@ execute procedure createRbacRolesForHsOfficePerson(); -- ============================================================================ --changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- - -/* - Creates a view to the person main table which maps the identifying name - (in this case, the prefix) to the objectUuid. - */ -create or replace view hs_office_person_iv as -select target.uuid, cleanIdentifier(concat(target.tradeName, target.familyName, target.givenName)) as idName - from hs_office_person as target; --- TODO.spec: Is it ok that everybody has access to this information? -grant all privileges on hs_office_person_iv to restricted; - -/* - Returns the objectUuid for a given identifying name (in this case the prefix). - */ -create or replace function hs_office_personUuidByIdName(idName varchar) - returns uuid - language sql - strict as $$ -select uuid from hs_office_person_iv iv where iv.idName = hs_office_personUuidByIdName.idName; -$$; - -/* - Returns the identifying name for a given objectUuid (in this case the label). - */ -create or replace function hs_office_personIdNameByUuid(uuid uuid) - returns varchar - language sql - strict as $$ -select idName from hs_office_person_iv iv where iv.uuid = hs_office_personIdNameByUuid.uuid; -$$; +call generateRbacIdentityView('hs_office_person', $idName$ + concat(target.tradeName, target.familyName, target.givenName) + $idName$); --// diff --git a/src/main/resources/db/changelog/223-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/223-hs-office-partner-rbac.sql index f89965d9..cc108f7a 100644 --- a/src/main/resources/db/changelog/223-hs-office-partner-rbac.sql +++ b/src/main/resources/db/changelog/223-hs-office-partner-rbac.sql @@ -116,42 +116,11 @@ execute procedure hsOfficePartnerRbacRolesTrigger(); -- ============================================================================ --changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- - -/* - Creates a view to the partner main table which maps the identifying name - (in this case, the prefix) to the objectUuid. - */ -create or replace view hs_office_partner_iv as -select target.uuid, - cleanIdentifier( - (select idName from hs_office_person_iv p where p.uuid = target.personuuid) - || '-' || - (select idName from hs_office_contact_iv c where c.uuid = target.contactuuid) - ) - as idName - from hs_office_partner as target; --- TODO.spec: Is it ok that everybody has access to this information? -grant all privileges on hs_office_partner_iv to restricted; - -/* - Returns the objectUuid for a given identifying name (in this case the prefix). - */ -create or replace function hs_office_partnerUuidByIdName(idName varchar) - returns uuid - language sql - strict as $$ -select uuid from hs_office_partner_iv iv where iv.idName = hs_office_partnerUuidByIdName.idName; -$$; - -/* - Returns the identifying name for a given objectUuid (in this case the label). - */ -create or replace function hs_office_partnerIdNameByUuid(uuid uuid) - returns varchar - language sql - strict as $$ -select idName from hs_office_partner_iv iv where iv.uuid = hs_office_partnerIdNameByUuid.uuid; -$$; +call generateRbacIdentityView('hs_office_partner', $idName$ + (select idName from hs_office_person_iv p where p.uuid = target.personuuid) + || '-' || + (select idName from hs_office_contact_iv c where c.uuid = target.contactuuid) + $idName$); --//