rbac schema in 1055-rbac-views.sql
This commit is contained in:
parent
129aba0c74
commit
3d34854052
@ -144,7 +144,7 @@ grant all privileges on rbacrole_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}
|
|||||||
/**
|
/**
|
||||||
Instead of insert trigger function for RbacGrants_RV.
|
Instead of insert trigger function for RbacGrants_RV.
|
||||||
*/
|
*/
|
||||||
create or replace function insertRbacGrant()
|
create or replace function rbac.insert_grant_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
@ -161,11 +161,11 @@ end; $$;
|
|||||||
/*
|
/*
|
||||||
Creates an instead of insert trigger for the RbacGrants_rv view.
|
Creates an instead of insert trigger for the RbacGrants_rv view.
|
||||||
*/
|
*/
|
||||||
create trigger insertRbacGrant_Trigger
|
create trigger insert_grant_tg
|
||||||
instead of insert
|
instead of insert
|
||||||
on RbacGrants_rv
|
on RbacGrants_rv
|
||||||
for each row
|
for each row
|
||||||
execute function insertRbacGrant();
|
execute function rbac.insert_grant_tf();
|
||||||
--/
|
--/
|
||||||
|
|
||||||
|
|
||||||
@ -178,7 +178,7 @@ execute function insertRbacGrant();
|
|||||||
|
|
||||||
Checks if the current subject or assumed role have the permission to revoke the grant.
|
Checks if the current subject or assumed role have the permission to revoke the grant.
|
||||||
*/
|
*/
|
||||||
create or replace function deleteRbacGrant()
|
create or replace function rbac.delete_grant_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
@ -189,11 +189,11 @@ end; $$;
|
|||||||
/*
|
/*
|
||||||
Creates an instead of delete trigger for the RbacGrants_rv view.
|
Creates an instead of delete trigger for the RbacGrants_rv view.
|
||||||
*/
|
*/
|
||||||
create trigger deleteRbacGrant_Trigger
|
create trigger delete_grant_tg
|
||||||
instead of delete
|
instead of delete
|
||||||
on RbacGrants_rv
|
on RbacGrants_rv
|
||||||
for each row
|
for each row
|
||||||
execute function deleteRbacGrant();
|
execute function rbac.delete_grant_tf();
|
||||||
--/
|
--/
|
||||||
|
|
||||||
|
|
||||||
|
@ -304,28 +304,28 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
// given
|
// given
|
||||||
final var givenArbitraryUser = createRBacUser();
|
final var givenArbitraryUser = createRBacUser();
|
||||||
final var givenRoleToGrant = "test_package#xxx00:ADMIN";
|
final var givenRoleToGrant = "test_package#xxx00:ADMIN";
|
||||||
final var givencurrentSubjectAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
final var givenCurrentSubjectAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||||
final var givenOwnPackageAdminRole = getRbacRoleByName("test_package#xxx00:ADMIN");
|
final var givenOwnPackageAdminRole = getRbacRoleByName("test_package#xxx00:ADMIN");
|
||||||
|
|
||||||
// and given an existing grant
|
// and given an existing grant
|
||||||
assumeCreated(givencurrentSubjectAsPackageAdmin
|
assumeCreated(givenCurrentSubjectAsPackageAdmin
|
||||||
.grantsRole(givenOwnPackageAdminRole).assumed()
|
.grantsRole(givenOwnPackageAdminRole).assumed()
|
||||||
.toUser(givenArbitraryUser));
|
.toUser(givenArbitraryUser));
|
||||||
assumeGrantExists(
|
assumeGrantExists(
|
||||||
givencurrentSubjectAsPackageAdmin,
|
givenCurrentSubjectAsPackageAdmin,
|
||||||
"{ grant role:%s to user:%s by role:%s and assume }".formatted(
|
"{ grant role:%s to user:%s by role:%s and assume }".formatted(
|
||||||
givenOwnPackageAdminRole.getRoleName(),
|
givenOwnPackageAdminRole.getRoleName(),
|
||||||
givenArbitraryUser.getName(),
|
givenArbitraryUser.getName(),
|
||||||
givencurrentSubjectAsPackageAdmin.assumedRole));
|
givenCurrentSubjectAsPackageAdmin.assumedRole));
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var revokeResponse = givencurrentSubjectAsPackageAdmin
|
final var revokeResponse = givenCurrentSubjectAsPackageAdmin
|
||||||
.revokesRole(givenOwnPackageAdminRole)
|
.revokesRole(givenOwnPackageAdminRole)
|
||||||
.fromUser(givenArbitraryUser);
|
.fromUser(givenArbitraryUser);
|
||||||
|
|
||||||
// then
|
// then
|
||||||
revokeResponse.assertThat().statusCode(204);
|
revokeResponse.assertThat().statusCode(204);
|
||||||
assertThat(findAllGrantsOf(givencurrentSubjectAsPackageAdmin))
|
assertThat(findAllGrantsOf(givenCurrentSubjectAsPackageAdmin))
|
||||||
.extracting(RbacGrantEntity::getGranteeUserName)
|
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||||
.doesNotContain(givenArbitraryUser.getName());
|
.doesNotContain(givenArbitraryUser.getName());
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user