rbac.permission

This commit is contained in:
Michael Hoennig 2024-09-13 20:33:32 +02:00
parent 365a228d44
commit 357c091411
5 changed files with 25 additions and 25 deletions

View File

@ -94,7 +94,7 @@ public class RbacGrantsDiagramService {
} }
public String allGrantsFrom(final UUID targetObject, final String op, final EnumSet<Include> includes) { public String allGrantsFrom(final UUID targetObject, final String op, final EnumSet<Include> includes) {
final var refUuid = (UUID) em.createNativeQuery("SELECT uuid FROM rbacpermission WHERE objectuuid=:targetObject AND op=:op") final var refUuid = (UUID) em.createNativeQuery("SELECT uuid FROM rbac.permission WHERE objectuuid=:targetObject AND op=:op")
.setParameter("targetObject", targetObject) .setParameter("targetObject", targetObject)
.setParameter("op", op) .setParameter("op", op)
.getSingleResult(); .getSingleResult();

View File

@ -6,7 +6,7 @@
/* /*
*/ */
create type rbac.referenceType as enum ('rbac.subject', 'RbacRole', 'RbacPermission'); create type rbac.referenceType as enum ('rbac.subject', 'RbacRole', 'rbac.permission');
create table rbac.reference create table rbac.reference
( (
@ -331,7 +331,7 @@ create or replace function deleteRbacRolesOfRbacObject()
strict as $$ strict as $$
begin begin
if TG_OP = 'DELETE' then if TG_OP = 'DELETE' then
delete from RbacPermission p where p.objectuuid = old.uuid; delete from rbac.permission p where p.objectuuid = old.uuid;
delete from RbacRole r where r.objectUuid = old.uuid; delete from RbacRole r where r.objectUuid = old.uuid;
else else
raise exception 'invalid usage of TRIGGER BEFORE DELETE'; raise exception 'invalid usage of TRIGGER BEFORE DELETE';
@ -365,7 +365,7 @@ create domain RbacOp as varchar(6)
or VALUE = 'ASSUME' or VALUE = 'ASSUME'
); );
create table RbacPermission create table rbac.permission
( (
uuid uuid primary key references rbac.reference (uuid) on delete cascade, uuid uuid primary key references rbac.reference (uuid) on delete cascade,
objectUuid uuid not null references rbac.object, objectUuid uuid not null references rbac.object,
@ -373,13 +373,13 @@ create table RbacPermission
opTableName varchar(60) opTableName varchar(60)
); );
-- TODO.perf: check if these indexes are really useful -- TODO.perf: check if these indexes are really useful
create index on RbacPermission (objectUuid, op); create index on rbac.permission (objectUuid, op);
create index on RbacPermission (opTableName, op); create index on rbac.permission (opTableName, op);
ALTER TABLE RbacPermission ALTER TABLE rbac.permission
ADD CONSTRAINT RbacPermission_uc UNIQUE NULLS NOT DISTINCT (objectUuid, op, opTableName); ADD CONSTRAINT RbacPermission_uc UNIQUE NULLS NOT DISTINCT (objectUuid, op, opTableName);
call base.create_journal('RbacPermission'); call base.create_journal('rbac.permission');
create or replace function createPermission(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null) create or replace function createPermission(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
returns uuid returns uuid
@ -398,19 +398,19 @@ begin
end if; end if;
permissionUuid := ( permissionUuid := (
select uuid from RbacPermission select uuid from rbac.permission
where objectUuid = forObjectUuid where objectUuid = forObjectUuid
and op = forOp and opTableName is not distinct from forOpTableName); and op = forOp and opTableName is not distinct from forOpTableName);
if (permissionUuid is null) then if (permissionUuid is null) then
insert into rbac.reference ("type") insert into rbac.reference ("type")
values ('RbacPermission') values ('rbac.permission')
returning uuid into permissionUuid; returning uuid into permissionUuid;
begin begin
insert into RbacPermission (uuid, objectUuid, op, opTableName) insert into rbac.permission (uuid, objectUuid, op, opTableName)
values (permissionUuid, forObjectUuid, forOp, forOpTableName); values (permissionUuid, forObjectUuid, forOp, forOpTableName);
exception exception
when others then when others then
raise exception 'insert into RbacPermission (uuid, objectUuid, op, opTableName) raise exception 'insert into rbac.permission (uuid, objectUuid, op, opTableName)
values (%, %, %, %);', permissionUuid, forObjectUuid, forOp, forOpTableName; values (%, %, %, %);', permissionUuid, forObjectUuid, forOp, forOpTableName;
end; end;
end if; end if;
@ -423,7 +423,7 @@ create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp R
stable -- leakproof stable -- leakproof
language sql as $$ language sql as $$
select uuid select uuid
from RbacPermission p from rbac.permission p
where p.objectUuid = forObjectUuid where p.objectUuid = forObjectUuid
and (forOp = 'SELECT' or p.op = forOp) -- all other RbacOp include 'SELECT' and (forOp = 'SELECT' or p.op = forOp) -- all other RbacOp include 'SELECT'
and p.opTableName = forOpTableName and p.opTableName = forOpTableName
@ -435,7 +435,7 @@ create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp, fo
stable -- leakproof stable -- leakproof
language sql as $$ language sql as $$
select uuid select uuid
from RbacPermission p from rbac.permission p
where p.objectUuid = forObjectUuid where p.objectUuid = forObjectUuid
and p.op = forOp and p.op = forOp
and p.opTableName = forOpTableName and p.opTableName = forOpTableName
@ -449,7 +449,7 @@ declare
permissionUuid uuid; permissionUuid uuid;
begin begin
select uuid into permissionUuid select uuid into permissionUuid
from RbacPermission p from rbac.permission p
where p.objectUuid = forObjectUuid where p.objectUuid = forObjectUuid
and p.op = forOp and p.op = forOp
and forOpTableName is null or p.opTableName = forOpTableName; and forOpTableName is null or p.opTableName = forOpTableName;
@ -592,7 +592,7 @@ create or replace procedure grantPermissionToRole(permissionUuid uuid, roleUuid
language plpgsql as $$ language plpgsql as $$
begin begin
perform rbac.assertReferenceType('roleId (ascendant)', roleUuid, 'RbacRole'); perform rbac.assertReferenceType('roleId (ascendant)', roleUuid, 'RbacRole');
perform rbac.assertReferenceType('permissionId (descendant)', permissionUuid, 'RbacPermission'); perform rbac.assertReferenceType('permissionId (descendant)', permissionUuid, 'rbac.permission');
insert insert
into rbac.grants (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed) into rbac.grants (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed)
@ -683,14 +683,14 @@ begin
superRoleId := findRoleId(superRole); superRoleId := findRoleId(superRole);
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'RbacRole'); perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'RbacRole');
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'RbacPermission'); perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
if (isGranted(superRoleId, permissionId)) then if (isGranted(superRoleId, permissionId)) then
delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = permissionId; delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = permissionId;
else else
select p.op, o.objectTable, o.uuid select p.op, o.objectTable, o.uuid
from rbac.grants g from rbac.grants g
join rbacPermission p on p.uuid=g.descendantUuid join rbac.permission p on p.uuid=g.descendantUuid
join rbac.object o on o.uuid=p.objectUuid join rbac.object o on o.uuid=p.objectUuid
where g.uuid=permissionId where g.uuid=permissionId
into permissionOp, objectTable, objectUuid; into permissionOp, objectTable, objectUuid;
@ -735,7 +735,7 @@ begin
) )
SELECT DISTINCT perm.objectUuid SELECT DISTINCT perm.objectUuid
FROM granted FROM granted
JOIN RbacPermission perm ON granted.descendantUuid = perm.uuid JOIN rbac.permission perm ON granted.descendantUuid = perm.uuid
JOIN rbac.object obj ON obj.uuid = perm.objectUuid JOIN rbac.object obj ON obj.uuid = perm.objectUuid
WHERE (requiredOp = 'SELECT' OR perm.op = requiredOp) WHERE (requiredOp = 'SELECT' OR perm.op = requiredOp)
AND obj.objectTable = forObjectTable AND obj.objectTable = forObjectTable
@ -759,7 +759,7 @@ $$;
Returns all permissions accessible to the given subject UUID (subject or role). Returns all permissions accessible to the given subject UUID (subject or role).
*/ */
create or replace function queryPermissionsGrantedToSubjectId(subjectId uuid) create or replace function queryPermissionsGrantedToSubjectId(subjectId uuid)
returns setof RbacPermission returns setof rbac.permission
strict strict
language sql as $$ language sql as $$
with recursive grants as ( with recursive grants as (
@ -772,7 +772,7 @@ with recursive grants as (
inner join grants on grants.descendantUuid = g.ascendantUuid inner join grants on grants.descendantUuid = g.ascendantUuid
) )
select perm.* select perm.*
from RbacPermission perm from rbac.permission perm
where perm.uuid in ( where perm.uuid in (
select descendantUuid select descendantUuid
from grants from grants

View File

@ -93,7 +93,7 @@ create or replace view rbacgrants_ev as
left outer join rbacrole as dr on dr.uuid = g.descendantUuid left outer join rbacrole as dr on dr.uuid = g.descendantUuid
left outer join rbac.object as dro on dro.uuid = dr.objectuuid left outer join rbac.object as dro on dro.uuid = dr.objectuuid
left outer join rbacpermission dp on dp.uuid = g.descendantUuid left outer join rbac.permission dp on dp.uuid = g.descendantUuid
left outer join rbac.object as dpo on dpo.uuid = dp.objectUuid left outer join rbac.object as dpo on dpo.uuid = dp.objectUuid
) as x ) as x
left outer join rbacrole as r on r.uuid = grantedByRoleUuid left outer join rbacrole as r on r.uuid = grantedByRoleUuid
@ -331,7 +331,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid,
o.objecttable, r.objectidname, o.uuid as objectuuid o.objecttable, r.objectidname, o.uuid as objectuuid
from rbacrole_rv r from rbacrole_rv r
join rbac.grants g on g.ascendantuuid = r.uuid join rbac.grants g on g.ascendantuuid = r.uuid
join rbacpermission p on p.uuid = g.descendantuuid join rbac.permission p on p.uuid = g.descendantuuid
join rbac.object o on o.uuid = p.objectuuid; join rbac.object o on o.uuid = p.objectuuid;
grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
-- @formatter:om -- @formatter:om

View File

@ -202,7 +202,7 @@ begin
as valid) as valid)
select distinct perm.objectuuid select distinct perm.objectuuid
from recursive_grants from recursive_grants
join rbacpermission perm on recursive_grants.descendantuuid = perm.uuid join rbac.permission perm on recursive_grants.descendantuuid = perm.uuid
join rbac.object obj on obj.uuid = perm.objectuuid join rbac.object obj on obj.uuid = perm.objectuuid
join count_check cc on cc.valid join count_check cc on cc.valid
where obj.objectTable = '%1$s' -- 'SELECT' permission is included in all other permissions where obj.objectTable = '%1$s' -- 'SELECT' permission is included in all other permissions

View File

@ -14,7 +14,7 @@ select no, to_char("count", '9 999 999 999') as "count", "table"
from RbacRole from RbacRole
union union
select 3 as no, count(*) as "count", 'permissions' as "table" select 3 as no, count(*) as "count", 'permissions' as "table"
from RbacPermission from rbac.permission
union union
select 4 as no, count(*) as "count", 'references' as "table" select 4 as no, count(*) as "count", 'references' as "table"
from rbac.reference from rbac.reference