introduce referential integrity for role identification - part 2 assume

This commit is contained in:
Michael Hoennig 2022-07-28 10:43:23 +02:00
parent 1dde6b2609
commit 457641a2dd
11 changed files with 39 additions and 24 deletions

View File

@ -1,8 +0,0 @@
<component name="ProjectRunConfigurationManager">
<configuration default="false" name="30-run-all.sql" type="DatabaseScript" editBeforeRun="true" nameIsGenerated="true">
<script-file value="$PROJECT_DIR$/sql/30-run-all.sql" />
<script-mode>FILE</script-mode>
<data-source id="58980aaf-09d7-4782-a6fa-859aa1fc3986" namespace="database/&quot;postgres&quot;/schema/&quot;public&quot;" />
<method v="2" />
</configuration>
</component>

View File

@ -670,6 +670,21 @@ BEGIN
RETURN string_to_array(currentSubject, ';'); RETURN string_to_array(currentSubject, ';');
END; $$; END; $$;
CREATE OR REPLACE FUNCTION findUuidByIdName(objectTable varchar, objectIdName varchar)
RETURNS uuid
RETURNS NULL ON NULL INPUT
LANGUAGE plpgsql AS $$
DECLARE
BEGIN
/*sql = 'E ' || baseTable || '_historicize' ||
' AFTER INSERT OR DELETE OR UPDATE ON ' || baseTable ||
' FOR EACH ROW EXECUTE PROCEDURE historicize()';
RAISE NOTICE 'sql: %', createTriggerSQL;
EXECUTE createTriggerSQ*/
RETURN customerUuidByIdName(objectIdName);
END; $$;
ROLLBACK; ROLLBACK;
SET SESSION AUTHORIZATION DEFAULT; SET SESSION AUTHORIZATION DEFAULT;
@ -702,6 +717,8 @@ BEGIN
objectNameToAssume = split_part(roleName, '#', 2); objectNameToAssume = split_part(roleName, '#', 2);
roleTypeToAssume = split_part(roleName, '#', 3); roleTypeToAssume = split_part(roleName, '#', 3);
objectUuidToAssume = findUuidByIdName(objectTableToAssume, objectNameToAssume);
-- TODO: either the result needs to be cached at least per transaction or we need to get rid of SELCT in a loop -- TODO: either the result needs to be cached at least per transaction or we need to get rid of SELCT in a loop
SELECT uuid AS roleuuidToAssume SELECT uuid AS roleuuidToAssume
FROM RbacRole r FROM RbacRole r

View File

@ -105,10 +105,25 @@ CREATE TRIGGER deleteRbacRulesForCustomer_Trigger
BEFORE DELETE ON customer BEFORE DELETE ON customer
FOR EACH ROW EXECUTE PROCEDURE deleteRbacRulesForCustomer(); FOR EACH ROW EXECUTE PROCEDURE deleteRbacRulesForCustomer();
-- create a restricted view to access the textual customer ids a idName
SET SESSION SESSION AUTHORIZATION DEFAULT;
-- ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS customer_iv;
CREATE OR REPLACE VIEW customer_iv AS
SELECT DISTINCT target.uuid, target.prefix as idName
FROM customer AS target;
-- TODO: Is it ok that everybody has access to this information?
GRANT ALL PRIVILEGES ON customer_iv TO restricted;
CREATE OR REPLACE FUNCTION customerUuidByIdName(idName varchar)
RETURNS uuid
LANGUAGE sql STRICT AS $$
SELECT uuid FROM customer_iv iv WHERE iv.idName=customerUuidByIdName.idName;
$$;
-- create RBAC restricted view -- create RBAC restricted view
SET SESSION SESSION AUTHORIZATION DEFAULT; SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE customer ENABLE ROW LEVEL SECURITY; -- ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS customer_rv; DROP VIEW IF EXISTS customer_rv;
CREATE OR REPLACE VIEW customer_rv AS CREATE OR REPLACE VIEW customer_rv AS
SELECT DISTINCT target.* SELECT DISTINCT target.*

View File

@ -105,7 +105,7 @@ CREATE TRIGGER deleteRbacRulesForPackage_Trigger
-- create RBAC-restricted view -- create RBAC-restricted view
SET SESSION SESSION AUTHORIZATION DEFAULT; SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE package ENABLE ROW LEVEL SECURITY; -- ALTER TABLE package ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS package_rv; DROP VIEW IF EXISTS package_rv;
CREATE OR REPLACE VIEW package_rv AS CREATE OR REPLACE VIEW package_rv AS
SELECT DISTINCT target.* SELECT DISTINCT target.*

View File

@ -107,7 +107,7 @@ CREATE TRIGGER createRbacRulesForUnixUser_Trigger
-- create RBAC-restricted view -- create RBAC-restricted view
SET SESSION SESSION AUTHORIZATION DEFAULT; SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE unixuser ENABLE ROW LEVEL SECURITY; -- ALTER TABLE unixuser ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS unixuser_rv; DROP VIEW IF EXISTS unixuser_rv;
CREATE OR REPLACE VIEW unixuser_rv AS CREATE OR REPLACE VIEW unixuser_rv AS
SELECT DISTINCT target.* SELECT DISTINCT target.*

View File

@ -92,7 +92,7 @@ CREATE TRIGGER createRbacRulesForDomain_Trigger
-- create RBAC-restricted view -- create RBAC-restricted view
SET SESSION SESSION AUTHORIZATION DEFAULT; SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE Domain ENABLE ROW LEVEL SECURITY; -- ALTER TABLE Domain ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS domain_rv; DROP VIEW IF EXISTS domain_rv;
CREATE OR REPLACE VIEW domain_rv AS CREATE OR REPLACE VIEW domain_rv AS
SELECT DISTINCT target.* SELECT DISTINCT target.*

View File

@ -76,7 +76,7 @@ CREATE TRIGGER createRbacRulesForEMailAddress_Trigger
-- create RBAC-restricted view -- create RBAC-restricted view
SET SESSION SESSION AUTHORIZATION DEFAULT; SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY; -- ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS EMailAddress_rv; DROP VIEW IF EXISTS EMailAddress_rv;
CREATE OR REPLACE VIEW EMailAddress_rv AS CREATE OR REPLACE VIEW EMailAddress_rv AS
SELECT DISTINCT target.* SELECT DISTINCT target.*

View File

@ -61,7 +61,7 @@ BEGIN
FROM unixuser_rv uu FROM unixuser_rv uu
JOIN package_rv p ON p.uuid = uu.packageuuid JOIN package_rv p ON p.uuid = uu.packageuuid
JOIN customer_rv c ON c.uuid = p.customeruuid; JOIN customer_rv c ON c.uuid = p.customeruuid;
call expectBetween(resultCount, 30, 50); call expectBetween(resultCount, 40, 60);
-- hostsharing admin assuming two customer admin roles and listing all accessible domains -- hostsharing admin assuming two customer admin roles and listing all accessible domains
-- ABORT; START TRANSACTION; -- ABORT; START TRANSACTION;
@ -74,7 +74,7 @@ BEGIN
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
JOIN package_rv p ON p.uuid = uu.packageuuid JOIN package_rv p ON p.uuid = uu.packageuuid
JOIN customer_rv c ON c.uuid = p.customeruuid; JOIN customer_rv c ON c.uuid = p.customeruuid;
call expectBetween(resultCount, 30, 50); call expectBetween(resultCount, 20, 40);
-- hostsharing admin assuming two customer admin roles and listing all accessible email addresses -- hostsharing admin assuming two customer admin roles and listing all accessible email addresses
-- ABORT; START TRANSACTION; -- ABORT; START TRANSACTION;

View File

@ -46,15 +46,6 @@ SET LOCAL hsadminng.currentUser TO 'mih42_customer_aaa';
SET LOCAL hsadminng.currentTask TO 'adding customer_aaa'; SET LOCAL hsadminng.currentTask TO 'adding customer_aaa';
INSERT INTO package (customer_id, name) VALUES (10000, 'aaa00'); INSERT INTO package (customer_id, name) VALUES (10000, 'aaa00');
COMMIT; COMMIT;
SET SESSION SESSION AUTHORIZATION DEFAULT;
CREATE ROLE hs_sel_package_1000000;
GRANT hs_sel_package_1000000 to hs_sel_customer_10000;
SET SESSION SESSION AUTHORIZATION mih42_customer_aaa;
SELECT pg_has_role('hs_sel_package_1000000', 'MEMBER');
-- Usage: -- Usage:
SET hsadminng.timestamp TO '2022-07-12 08:53:27.723315'; SET hsadminng.timestamp TO '2022-07-12 08:53:27.723315';