amend rbac generators and re-generate

This commit is contained in:
Michael Hoennig 2024-09-14 13:19:41 +02:00
parent cde0feaa3f
commit 3d335def18
29 changed files with 146 additions and 109 deletions

View File

@ -17,6 +17,7 @@ import java.io.IOException;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
@ -45,8 +46,8 @@ public class HsBookingItemRbacEntity extends HsBookingItem {
.withIdentityView(SQL.projection("caption"))
.withRestrictedViewOrderBy(SQL.expression("validity"))
.withUpdatableColumns("version", "caption", "validity", "resources")
.toRole("global", ADMIN).grantPermission(INSERT) // TODO.impl: Why is this necessary to insert test data?
.toRole("global", ADMIN).grantPermission(DELETE)
.toRole(GLOBAL, ADMIN).grantPermission(INSERT) // TODO.impl: Why is this necessary to insert test data?
.toRole(GLOBAL, ADMIN).grantPermission(DELETE)
.importEntityAlias("project", HsBookingProject.class, usingDefaultCase(),
dependsOnColumn("projectUuid"),

View File

@ -20,6 +20,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
@ -91,7 +92,7 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity<HsBo
"""),
NOT_NULL)
.toRole("debitorRel", ADMIN).grantPermission(INSERT)
.toRole("global", ADMIN).grantPermission(DELETE)
.toRole(GLOBAL, ADMIN).grantPermission(DELETE)
.createRole(OWNER, (with) -> {
with.incomingSuperRole("debitorRel", AGENT).unassumed();

View File

@ -17,6 +17,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
@ -63,7 +64,7 @@ public class HsBookingProjectRbacEntity extends HsBookingProject {
"""),
NOT_NULL)
.toRole("debitorRel", ADMIN).grantPermission(INSERT)
.toRole("global", ADMIN).grantPermission(DELETE)
.toRole(GLOBAL, ADMIN).grantPermission(DELETE)
.createRole(OWNER, (with) -> {
with.incomingSuperRole("debitorRel", AGENT).unassumed();

View File

@ -62,7 +62,7 @@ public class HsOfficeBankAccountEntity implements BaseEntity<HsOfficeBankAccount
.withIdentityView(SQL.projection("iban"))
.withUpdatableColumns("holder", "iban", "bic")
.toRole("global", GUEST).grantPermission(INSERT)
.toRole(GLOBAL, GUEST).grantPermission(INSERT)
.createRole(OWNER, (with) -> {
with.owningUser(CREATOR);

View File

@ -43,6 +43,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
@ -188,7 +189,7 @@ public class HsOfficeDebitorEntity implements BaseEntity<HsOfficeDebitorEntity>,
"vatBusiness",
"vatReverseCharge",
"defaultPrefix")
.toRole("global", ADMIN).grantPermission(INSERT)
.toRole(GLOBAL, ADMIN).grantPermission(INSERT)
.importRootEntityAliasProxy("debitorRel", HsOfficeRelationRbacEntity.class, usingCase(DEBITOR),
directlyFetchedByDependsOnColumn(),

View File

@ -40,6 +40,7 @@ import static net.hostsharing.hsadminng.mapper.PostgresDateRange.toPostgresDateR
import static net.hostsharing.hsadminng.mapper.PostgresDateRange.upperInclusiveFromPostgresDateRange;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
@ -174,7 +175,7 @@ public class HsOfficeMembershipEntity implements BaseEntity<HsOfficeMembershipEn
WHERE partner.uuid = ${REF}.partnerUuid
"""),
NOT_NULL)
.toRole("global", ADMIN).grantPermission(INSERT)
.toRole(GLOBAL, ADMIN).grantPermission(INSERT)
.createRole(OWNER, (with) -> {
with.owningUser(CREATOR);

View File

@ -13,6 +13,7 @@ import java.io.IOException;
import java.time.LocalDate;
import java.util.UUID;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
@ -82,7 +83,7 @@ public class HsOfficePartnerDetailsEntity implements BaseEntity<HsOfficePartnerD
"birthName",
"birthday",
"dateOfDeath")
.toRole("global", ADMIN).grantPermission(INSERT)
.toRole(GLOBAL, ADMIN).grantPermission(INSERT)
// The grants are defined in HsOfficePartnerEntity.rbac()
// because they have to be changed when its partnerRel changes,

View File

@ -26,6 +26,7 @@ import java.util.UUID;
import static jakarta.persistence.CascadeType.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
@ -103,7 +104,7 @@ public class HsOfficePartnerEntity implements Stringifyable, BaseEntity<HsOffice
return rbacViewFor("partner", HsOfficePartnerEntity.class)
.withIdentityView(SQL.projection("'P-' || partnerNumber"))
.withUpdatableColumns("partnerRelUuid")
.toRole("global", ADMIN).grantPermission(INSERT)
.toRole(GLOBAL, ADMIN).grantPermission(INSERT)
.importRootEntityAliasProxy("partnerRel", HsOfficeRelationRbacEntity.class,
usingDefaultCase(),

View File

@ -80,7 +80,7 @@ public class HsOfficePersonEntity implements BaseEntity<HsOfficePersonEntity>, S
return rbacViewFor("person", HsOfficePersonEntity.class)
.withIdentityView(SQL.projection("concat(tradeName, familyName, givenName)"))
.withUpdatableColumns("personType", "title", "salutation", "tradeName", "givenName", "familyName")
.toRole("global", GUEST).grantPermission(INSERT)
.toRole(GLOBAL, GUEST).grantPermission(INSERT)
.createRole(OWNER, (with) -> {
with.permission(DELETE);

View File

@ -55,7 +55,7 @@ public class InsertTriggerGenerator {
plPgSql.writeLn("""
-- granting INSERT permission to ${rawSubTable} ----------------------------
""",
with("rawSubTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()));
with("rawSubTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()));
if (isGrantToADifferentTable(g)) {
plPgSql.writeLn(
@ -73,7 +73,7 @@ public class InsertTriggerGenerator {
${whenCondition}
LOOP
call rbac.grantPermissionToRole(
createPermission(row.uuid, 'INSERT', '${rawSubTable}'),
rbac.createPermission(row.uuid, 'INSERT', '${rawSubTable}'),
${superRoleRef});
END LOOP;
end;
@ -84,40 +84,40 @@ public class InsertTriggerGenerator {
? "WHERE type = '${value}'"
.replace("${value}", g.getSuperRoleDef().getEntityAlias().usingCase().value)
: "-- unconditional for all rows in that table"),
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()),
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()),
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()),
with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), "row")));
} else {
plPgSql.writeLn("""
-- Granting INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_hosting_asset rows slipped,
-- because there cannot yet be any pre-existing rows in the same table yet.
""",
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()));
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()),
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()));
}
plPgSql.writeLn("""
/**
Grants ${rawSubTable} INSERT permission to specified role of new ${rawSuperTable} rows.
*/
create or replace function new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tf()
create or replace function ${rawSuperTableSchemaName}new_${rawSubTableShortName}_grants_insert_to_${rawSuperTableShortName}_tf()
returns trigger
language plpgsql
strict as $$
begin
${ifConditionThen}
call rbac.grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'),
rbac.createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'),
${superRoleRef});
${ifConditionEnd}
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tg
after insert on ${rawSuperTable}
create trigger z_new_${rawSubTable}_grants_after_insert_tg
after insert on ${rawSuperTableWithSchema}
for each row
execute procedure new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tf();
execute procedure ${rawSuperTableSchemaName}new_${rawSubTableShortName}_grants_insert_to_${rawSuperTableShortName}_tf();
""",
with("ifConditionThen", g.getSuperRoleDef().getEntityAlias().isCaseDependent()
// TODO.impl: .type needs to be dynamically generated
@ -127,8 +127,12 @@ public class InsertTriggerGenerator {
? "end if;"
: "-- end."),
with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), NEW.name())),
with("rawSuperTableWithSchema", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()),
with("rawSuperTableShortName", g.getSuperRoleDef().getEntityAlias().getRawTableShortName()),
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()));
with("rawSuperTableSchemaName", g.getSuperRoleDef().getEntityAlias().getRawTableSchemaPrefix()),
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()),
with("rawSubTableShortName", g.getPermDef().getEntityAlias().getRawTableShortName()));
});
}
@ -158,7 +162,7 @@ public class InsertTriggerGenerator {
for each row
execute procedure ${rawSubTable}_insert_permission_missing_tf();
""",
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
plPgSql.writeLn("--//");
}
@ -192,7 +196,7 @@ public class InsertTriggerGenerator {
superObjectUuid uuid;
begin
""",
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
plPgSql.chopEmptyLines();
}
@ -231,7 +235,7 @@ public class InsertTriggerGenerator {
""",
with("caseCondition", caseCondition),
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
} else {
plPgSql.writeLn(
"""
@ -243,7 +247,7 @@ public class InsertTriggerGenerator {
end if;
""",
with("caseCondition", caseCondition),
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()),
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()),
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
with("fetchSql", g.getSuperRoleDef().getEntityAlias().fetchSql().sql),
with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"),
@ -255,7 +259,7 @@ public class InsertTriggerGenerator {
plPgSql.writeLn();
plPgSql.writeLn("""
raise exception '[403] insert into ${rawSubTable} values(%) not allowed for current subjects % (%)',
NEW, base.currentSubjects(), currentSubjectOrAssumedRolesUuids();
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$;
create trigger ${rawSubTable}_insert_permission_check_tg
@ -264,7 +268,7 @@ public class InsertTriggerGenerator {
execute procedure ${rawSubTable}_insert_permission_check_tf();
--//
""",
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
}
private String toStringList(final Set<RbacView.CaseDef> cases) {
@ -272,7 +276,7 @@ public class InsertTriggerGenerator {
}
private boolean isGrantToADifferentTable(final RbacView.RbacGrantDefinition g) {
return !rbacDef.getRootEntityAlias().getRawTableName().equals(g.getSuperRoleDef().getEntityAlias().getRawTableName());
return !rbacDef.getRootEntityAlias().getRawTableNameWithSchema().equals(g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema());
}
private Stream<RbacView.RbacGrantDefinition> getInsertGrants() {

View File

@ -12,7 +12,7 @@ public class RbacIdentityViewGenerator {
this.rbacDef = rbacDef;
this.liquibaseTagPrefix = liquibaseTagPrefix;
this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
}
void generateTo(final StringWriter plPgSql) {

View File

@ -9,7 +9,7 @@ public class RbacObjectGenerator {
public RbacObjectGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
this.liquibaseTagPrefix = liquibaseTagPrefix;
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
}
void generateTo(final StringWriter plPgSql) {

View File

@ -13,7 +13,7 @@ public class RbacRestrictedViewGenerator {
public RbacRestrictedViewGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
this.rbacDef = rbacDef;
this.liquibaseTagPrefix = liquibaseTagPrefix;
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
}
void generateTo(final StringWriter plPgSql) {

View File

@ -11,7 +11,7 @@ public class RbacRoleDescriptorsGenerator {
public RbacRoleDescriptorsGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
this.liquibaseTagPrefix = liquibaseTagPrefix;
this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
}
void generateTo(final StringWriter plPgSql) {

View File

@ -548,7 +548,7 @@ public class RbacView {
}
public RbacView grantPermission(final Permission perm) {
final var forTable = rootEntityAlias.getRawTableName();
final var forTable = rootEntityAlias.getRawTableNameWithSchema();
findOrCreateGrantDef(findRbacPerm(rootEntityAlias, perm, forTable), superRoleDef).toCreate();
return RbacView.this;
}
@ -937,7 +937,7 @@ public class RbacView {
return switch (fetchSql.part) {
case SQL_QUERY -> fetchSql;
case AUTO_FETCH ->
SQL.query("SELECT * FROM " + getRawTableName() + " WHERE uuid = ${ref}." + dependsOnColum.column);
SQL.query("SELECT * FROM " + getRawTableNameWithSchema() + " WHERE uuid = ${ref}." + dependsOnColum.column);
default -> throw new IllegalStateException("unexpected SQL definition: " + fetchSql);
};
}
@ -960,13 +960,39 @@ public class RbacView {
: uncapitalize(withoutEntitySuffix(entityClass.getSimpleName()));
}
String getRawTableName() {
String getRawTableNameWithSchema() {
if ( aliasName.equals("rbac.global")) {
return "rbac.global"; // TODO: maybe we should introduce a GlobalEntity class?
}
return withoutRvSuffix(entityClass.getAnnotation(Table.class).name());
}
String getRawTableSchemaPrefix() {
final var rawTableNameWithSchema = getRawTableNameWithSchema();
final var parts = rawTableNameWithSchema.split("\\.");
final var rawTableSchemaPrefix = parts.length > 1 ? parts[0] + "." : "";
return rawTableSchemaPrefix;
}
String getRawTableName() {
final var rawTableNameWithSchema = getRawTableNameWithSchema();
final var parts = rawTableNameWithSchema.split("\\.");
final var rawTableName = parts.length > 1 ? parts[1] : rawTableNameWithSchema;
return rawTableName;
}
String getRawTableShortName() {
// TODO.impl: some combined function and trigger names are too long
// maybe we should shorten the table name e.g. hs_office_coopsharestransaction -> hsof.coopsharetx
// this is just a workaround:
return getRawTableName()
.replace("hs_office_", "hsof_")
.replace("hs_booking_", "hsbk_")
.replace("hs_hosting_", "hsho_")
.replace("coopsharestransaction", "coopsharetx")
.replace("coopassetstransaction", "coopassettx");
}
String dependsOnColumName() {
if (dependsOnColum == null) {
throw new IllegalStateException(

View File

@ -17,7 +17,7 @@ public class RbacViewPostgresGenerator {
public RbacViewPostgresGenerator(final RbacView forRbacDef) {
rbacDef = forRbacDef;
liqibaseTagPrefix = rbacDef.getRootEntityAlias().getRawTableName().replace("_", "-");
liqibaseTagPrefix = rbacDef.getRootEntityAlias().getRawTableNameWithSchema().replace("_", "-");
plPgSql.writeLn("""
--liquibase formatted sql
-- This code generated was by ${generator}, do not amend manually.

View File

@ -40,7 +40,7 @@ class RolesGrantsAndPermissionsGenerator {
simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
simpleEntityName = capitalize(simpleEntityVarName);
rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
}
void generateTo(final StringWriter plPgSql) {
@ -77,7 +77,7 @@ class RolesGrantsAndPermissionsGenerator {
plPgSql.writeLn("declare");
plPgSql.indented(() -> {
referencedEntityAliases()
.forEach((ea) -> plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableName() + ";"));
.forEach((ea) -> plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableNameWithSchema() + ";"));
});
plPgSql.writeLn();
@ -145,8 +145,8 @@ class RolesGrantsAndPermissionsGenerator {
plPgSql.indented(() -> {
referencedEntityAliases()
.forEach((ea) -> {
plPgSql.writeLn(entityRefVar(OLD, ea) + " " + ea.getRawTableName() + ";");
plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableName() + ";");
plPgSql.writeLn(entityRefVar(OLD, ea) + " " + ea.getRawTableNameWithSchema() + ";");
plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableNameWithSchema() + ";");
});
});
@ -322,7 +322,7 @@ class RolesGrantsAndPermissionsGenerator {
final var grantSql = switch (grantDef.grantType()) {
case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant");
case ROLE_TO_ROLE -> "call rbac.grantRoleToRole(${subRoleRef}, ${superRoleRef}${assumed});"
.replace("${assumed}", grantDef.isAssumed() ? "" : ", unassumed()")
.replace("${assumed}", grantDef.isAssumed() ? "" : ", rbac.unassumed()")
.replace("${subRoleRef}", roleRef(NEW, grantDef.getSubRoleDef()))
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
case PERM_TO_ROLE ->
@ -343,7 +343,7 @@ class RolesGrantsAndPermissionsGenerator {
}
private String createPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
return permRef("createPermission", ref, permDef);
return permRef("rbac.createPermission", ref, permDef);
}
private String permRef(final String functionName, final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
@ -580,7 +580,7 @@ class RolesGrantsAndPermissionsGenerator {
private String toPlPgSqlReference(final RbacView.RbacSubjectReference userRef) {
return switch (userRef.role) {
case CREATOR -> "currentSubjectUuid()";
case CREATOR -> "rbac.currentSubjectUuid()";
default -> throw new IllegalArgumentException("unknown user role: " + userRef);
};
}
@ -589,9 +589,9 @@ class RolesGrantsAndPermissionsGenerator {
final PostgresTriggerReference triggerRef,
final RbacView.RbacRoleDefinition roleDef,
final boolean assumed) {
final var assumedArg = assumed ? "" : ", unassumed()";
final var assumedArg = assumed ? "" : ", rbac.unassumed()";
return toRoleRef(roleDef) +
(roleDef.getEntityAlias().isGlobal() ? ( assumed ? "()" : "(unassumed())")
(roleDef.getEntityAlias().isGlobal() ? ( assumed ? "()" : "(rbac.unassumed())")
: rbacDef.isRootEntityAlias(roleDef.getEntityAlias()) ? ("(" + triggerRef.name() + ")")
: "(" + toTriggerReference(triggerRef, roleDef.getEntityAlias()) + assumedArg + ")");
}

View File

@ -87,7 +87,7 @@ execute procedure insertTriggerForTestCustomer_tf();
*/
do language plpgsql $$
declare
row rbac.global%ROWTYPE;
row rbac.global;
begin
call base.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows');
@ -96,15 +96,15 @@ do language plpgsql $$
LOOP
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
rbac.globalAdmin());
rbac.globalADMIN());
END LOOP;
end;
$$;
/**
Grants test_customer INSERT permission to specified role of new rbac.global rows.
Grants test_customer INSERT permission to specified role of new global rows.
*/
create or replace function new_test_customer_grants_insert_to_global_tf()
create or replace function rbac.new_test_customer_grants_insert_to_global_tf()
returns trigger
language plpgsql
strict as $$
@ -112,16 +112,16 @@ begin
-- unconditional for all rows in that table
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
rbac.globalAdmin());
rbac.globalADMIN());
-- end.
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_test_customer_grants_insert_to_global_tg
create trigger z_new_test_customer_grants_after_insert_tg
after insert on rbac.global
for each row
execute procedure new_test_customer_grants_insert_to_global_tf();
execute procedure rbac.new_test_customer_grants_insert_to_global_tf();
-- ============================================================================

View File

@ -183,7 +183,7 @@ begin
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_test_package_grants_insert_to_test_customer_tg
create trigger z_new_test_package_grants_after_insert_tg
after insert on test_customer
for each row
execute procedure new_test_package_grants_insert_to_test_customer_tf();

View File

@ -182,7 +182,7 @@ begin
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_test_domain_grants_insert_to_test_package_tg
create trigger z_new_test_domain_grants_after_insert_tg
after insert on test_package
for each row
execute procedure new_test_domain_grants_insert_to_test_package_tf();

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants(
hsOfficePersonOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[rbac.globalAdmin()],
incomingSuperRoles => array[rbac.globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
);

View File

@ -164,24 +164,24 @@ execute procedure updateTriggerForHsOfficePartner_tf();
*/
do language plpgsql $$
declare
row rbac.global%ROWTYPE;
row rbac.global;
begin
call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.Global rows');
call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table
LOOP
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
rbac.globalAdmin());
rbac.globalADMIN());
END LOOP;
end;
$$;
/**
Grants hs_office_partner INSERT permission to specified role of new rbac.global rows.
Grants hs_office_partner INSERT permission to specified role of new global rows.
*/
create or replace function new_hs_office_partner_grants_insert_to_global_tf()
create or replace function rbac.new_hsof_partner_grants_insert_to_global_tf()
returns trigger
language plpgsql
strict as $$
@ -189,16 +189,16 @@ begin
-- unconditional for all rows in that table
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
rbac.globalAdmin());
rbac.globalADMIN());
-- end.
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_partner_grants_insert_to_global_tg
create trigger z_new_hs_office_partner_grants_after_insert_tg
after insert on rbac.global
for each row
execute procedure new_hs_office_partner_grants_insert_to_global_tf();
execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();
-- ============================================================================

View File

@ -70,14 +70,14 @@ do language plpgsql $$
declare
row rbac.global;
begin
call base.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows');
call base.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table
LOOP
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
rbac.globalAdmin());
rbac.globalADMIN());
END LOOP;
end;
$$;
@ -85,7 +85,7 @@ $$;
/**
Grants hs_office_partner_details INSERT permission to specified role of new global rows.
*/
create or replace function new_hs_office_partner_details_grants_insert_to_global_tf()
create or replace function rbac.new_hsof_partner_details_grants_insert_to_global_tf()
returns trigger
language plpgsql
strict as $$
@ -93,16 +93,16 @@ begin
-- unconditional for all rows in that table
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
rbac.globalAdmin());
rbac.globalADMIN());
-- end.
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg
create trigger z_new_hs_office_partner_details_grants_after_insert_tg
after insert on rbac.global
for each row
execute procedure new_hs_office_partner_details_grants_insert_to_global_tf();
execute procedure rbac.new_hsof_partner_details_grants_insert_to_global_tf();
-- ============================================================================
@ -118,7 +118,7 @@ create or replace function hs_office_partner_details_insert_permission_check_tf(
declare
superObjectUuid uuid;
begin
-- check INSERT INSERT if rbac.Global ADMIN
-- check INSERT INSERT if rbac.global ADMIN
if rbac.isGlobalAdmin() then
return NEW;
end if;

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants(
hsOfficeBankAccountOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[rbac.globalAdmin()],
incomingSuperRoles => array[rbac.globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
);

View File

@ -130,31 +130,31 @@ execute procedure updateTriggerForHsOfficeDebitor_tf();
--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
-- granting INSERT permission to rbac.Global ----------------------------
-- granting INSERT permission to rbac.global ----------------------------
/*
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing rbac.global rows.
*/
do language plpgsql $$
declare
row rbac.global%ROWTYPE;
row rbac.global;
begin
call base.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.Global rows');
call base.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table
LOOP
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
rbac.globalAdmin());
rbac.globalADMIN());
END LOOP;
end;
$$;
/**
Grants hs_office_debitor INSERT permission to specified role of new rbac.global rows.
Grants hs_office_debitor INSERT permission to specified role of new global rows.
*/
create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
create or replace function rbac.new_hsof_debitor_grants_insert_to_global_tf()
returns trigger
language plpgsql
strict as $$
@ -162,16 +162,16 @@ begin
-- unconditional for all rows in that table
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
rbac.globalAdmin());
rbac.globalADMIN());
-- end.
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_debitor_grants_insert_to_global_tg
create trigger z_new_hs_office_debitor_grants_after_insert_tg
after insert on rbac.global
for each row
execute procedure new_hs_office_debitor_grants_insert_to_global_tf();
execute procedure rbac.new_hsof_debitor_grants_insert_to_global_tf();
-- ============================================================================

View File

@ -50,7 +50,7 @@ begin
perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[rbac.globalAdmin()],
incomingSuperRoles => array[rbac.globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
);
@ -129,7 +129,7 @@ $$;
/**
Grants hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows.
*/
create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf()
create or replace function new_hsof_sepamandate_grants_insert_to_hsof_relation_tf()
returns trigger
language plpgsql
strict as $$
@ -143,10 +143,10 @@ begin
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tg
create trigger z_new_hs_office_sepamandate_grants_after_insert_tg
after insert on hs_office_relation
for each row
execute procedure new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf();
execute procedure new_hsof_sepamandate_grants_insert_to_hsof_relation_tf();
-- ============================================================================

View File

@ -99,24 +99,24 @@ execute procedure insertTriggerForHsOfficeMembership_tf();
*/
do language plpgsql $$
declare
row rbac.global%ROWTYPE;
row rbac.global;
begin
call base.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.Global rows');
call base.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table
LOOP
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
rbac.globalAdmin());
rbac.globalADMIN());
END LOOP;
end;
$$;
/**
Grants hs_office_membership INSERT permission to specified role of new rbac.Global rows.
Grants hs_office_membership INSERT permission to specified role of new global rows.
*/
create or replace function new_hs_office_membership_grants_insert_to_global_tf()
create or replace function rbac.new_hsof_membership_grants_insert_to_global_tf()
returns trigger
language plpgsql
strict as $$
@ -124,16 +124,16 @@ begin
-- unconditional for all rows in that table
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
rbac.globalAdmin());
rbac.globalADMIN());
-- end.
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_membership_grants_insert_to_global_tg
create trigger z_new_hs_office_membership_grants_after_insert_tg
after insert on rbac.global
for each row
execute procedure new_hs_office_membership_grants_insert_to_global_tf();
execute procedure rbac.new_hsof_membership_grants_insert_to_global_tf();
-- ============================================================================
@ -149,7 +149,7 @@ create or replace function hs_office_membership_insert_permission_check_tf()
declare
superObjectUuid uuid;
begin
-- check INSERT INSERT if rbac.Global ADMIN
-- check INSERT INSERT if rbac.global ADMIN
if rbac.isGlobalAdmin() then
return NEW;
end if;

View File

@ -92,7 +92,7 @@ $$;
/**
Grants hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows.
*/
create or replace function new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf()
create or replace function new_hsof_coopsharetx_grants_insert_to_hsof_membership_tf()
returns trigger
language plpgsql
strict as $$
@ -106,10 +106,10 @@ begin
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tg
create trigger z_new_hs_office_coopsharestransaction_grants_after_insert_tg
after insert on hs_office_membership
for each row
execute procedure new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf();
execute procedure new_hsof_coopsharetx_grants_insert_to_hsof_membership_tf();
-- ============================================================================

View File

@ -92,7 +92,7 @@ $$;
/**
Grants hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
*/
create or replace function new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf()
create or replace function new_hsof_coopassettx_grants_insert_to_hsof_membership_tf()
returns trigger
language plpgsql
strict as $$
@ -106,10 +106,10 @@ begin
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tg
create trigger z_new_hs_office_coopassetstransaction_grants_after_insert_tg
after insert on hs_office_membership
for each row
execute procedure new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf();
execute procedure new_hsof_coopassettx_grants_insert_to_hsof_membership_tf();
-- ============================================================================