From 36654a69d8613cdce50bd7dcb01c35444315de31 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Fri, 16 Feb 2024 16:48:37 +0100
Subject: [PATCH] fix misleading findPermissionId naming

---
 .../2022-07-18.row-level-security-mechanism.md  |  4 ++--
 sql/rbac-tests.sql                              |  8 ++++----
 sql/rbac-view-option-experiments.sql            |  4 ++--
 .../resources/db/changelog/050-rbac-base.sql    | 17 ++++++++++++++++-
 4 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/doc/adr/2022-07-18.row-level-security-mechanism.md b/doc/adr/2022-07-18.row-level-security-mechanism.md
index 21225288..6276bd4d 100644
--- a/doc/adr/2022-07-18.row-level-security-mechanism.md
+++ b/doc/adr/2022-07-18.row-level-security-mechanism.md
@@ -74,7 +74,7 @@ For restricted DB-users, which are used by the backend, access to rows is filter
         FOR SELECT
         TO restricted
         USING (
-            isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid())
+            isPermissionGrantedToSubject(findEffectivePermissionId('customer', id, 'view'), currentUserUuid())
         );
     
     SET SESSION AUTHORIZATION restricted;
@@ -101,7 +101,7 @@ We are bound to PostgreSQL, including integration tests and testing the RBAC sys
     CREATE OR REPLACE RULE "_RETURN" AS
         ON SELECT TO cust_view
         DO INSTEAD
-            SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid());
+            SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('customer', id, 'view'), currentUserUuid());
 
     SET SESSION AUTHORIZATION restricted;
     SET hsadminng.currentUser TO 'alex@example.com';
diff --git a/sql/rbac-tests.sql b/sql/rbac-tests.sql
index 0183a6a2..4e179dee 100644
--- a/sql/rbac-tests.sql
+++ b/sql/rbac-tests.sql
@@ -19,11 +19,11 @@ select *
 FROM queryAllPermissionsOfSubjectId(findRbacUser('rosa@example.com'));
 
 select *
-FROM queryAllRbacUsersWithPermissionsFor(findPermissionId('customer',
+FROM queryAllRbacUsersWithPermissionsFor(findEffectivePermissionId('customer',
                                                           (SELECT uuid FROM RbacObject WHERE objectTable = 'customer' LIMIT 1),
                                                           'add-package'));
 select *
-FROM queryAllRbacUsersWithPermissionsFor(findPermissionId('package',
+FROM queryAllRbacUsersWithPermissionsFor(findEffectivePermissionId('package',
                                                           (SELECT uuid FROM RbacObject WHERE objectTable = 'package' LIMIT 1),
                                                           'delete'));
 
@@ -34,12 +34,12 @@ $$
         result bool;
     BEGIN
         userId = findRbacUser('superuser-alex@hostsharing.net');
-        result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId));
+        result = (SELECT * FROM isPermissionGrantedToSubject(findEffectivePermissionId('package', 94928, 'add-package'), userId));
         IF (result) THEN
             RAISE EXCEPTION 'expected permission NOT to be granted, but it is';
         end if;
 
-        result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'view'), userId));
+        result = (SELECT * FROM isPermissionGrantedToSubject(findEffectivePermissionId('package', 94928, 'view'), userId));
         IF (NOT result) THEN
             RAISE EXCEPTION 'expected permission to be granted, but it is NOT';
         end if;
diff --git a/sql/rbac-view-option-experiments.sql b/sql/rbac-view-option-experiments.sql
index 3a6cab1a..d3ef736a 100644
--- a/sql/rbac-view-option-experiments.sql
+++ b/sql/rbac-view-option-experiments.sql
@@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer
     TO restricted
     USING (
         -- id=1000
-        isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid())
+        isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'view'), currentUserUuid())
     );
 
 SET SESSION AUTHORIZATION restricted;
@@ -35,7 +35,7 @@ SELECT * FROM customer;
 CREATE OR REPLACE RULE "_RETURN" AS
     ON SELECT TO cust_view
     DO INSTEAD
-    SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid());
+    SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'view'), currentUserUuid());
 SELECT * from cust_view LIMIT 10;
 
 select queryAllPermissionsOfSubjectId(findRbacUser('superuser-alex@hostsharing.net'));
diff --git a/src/main/resources/db/changelog/050-rbac-base.sql b/src/main/resources/db/changelog/050-rbac-base.sql
index aab14b95..40c15646 100644
--- a/src/main/resources/db/changelog/050-rbac-base.sql
+++ b/src/main/resources/db/changelog/050-rbac-base.sql
@@ -438,9 +438,24 @@ create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp)
 select uuid
     from RbacPermission p
     where p.objectUuid = forObjectUuid
-      and p.op in ('*', forOp)
+      and p.op = forOp
 $$;
 
+create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp RbacOp)
+    returns uuid
+    returns null on null input
+    stable -- leakproof
+    language plpgsql as $$
+declare
+    permissionId uuid;
+begin
+    permissionId := findPermissionId(forObjectUuid, forOp);
+    if permissionId is null and forOp <> '*' then
+        permissionId := findPermissionId(forObjectUuid, '*');
+    end if;
+    return permissionId;
+end $$;
+
 --//
 
 -- ============================================================================