From 568c1e9a653842388d886c7b3a3d66aa854e71ed Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 14 Sep 2024 06:06:54 +0200 Subject: [PATCH] rbac.RoleDescriptor, rbac.assumed(), rbac.unassumed() --- .../db/changelog/0-base/010-context.sql | 2 +- .../db/changelog/1-rbac/1050-rbac-base.sql | 35 +++++++++---------- .../db/changelog/1-rbac/1055-rbac-views.sql | 2 +- .../1-rbac/1057-rbac-role-builder.sql | 12 +++---- .../changelog/1-rbac/1058-rbac-generators.sql | 12 +++---- .../db/changelog/1-rbac/1080-rbac-global.sql | 6 ++-- .../2013-test-customer-rbac.sql | 2 +- .../6203-hs-booking-project-rbac.sql | 2 +- .../7013-hs-hosting-asset-rbac.sql | 2 +- 9 files changed, 36 insertions(+), 39 deletions(-) diff --git a/src/main/resources/db/changelog/0-base/010-context.sql b/src/main/resources/db/changelog/0-base/010-context.sql index dcd59a31..543fb0f3 100644 --- a/src/main/resources/db/changelog/0-base/010-context.sql +++ b/src/main/resources/db/changelog/0-base/010-context.sql @@ -128,7 +128,7 @@ end; $$; --// -- ============================================================================ ---changeset context-ASSUMED-ROLES:1 endDelimiter:--// +--changeset context-base.ASSUMED-ROLES:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Returns assumed role names as set in `hsadminng.assumedRoles` diff --git a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql index c98f3710..4e47f302 100644 --- a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql +++ b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql @@ -6,19 +6,19 @@ /* */ -create type rbac.referenceType as enum ('rbac.subject', 'rbac.role', 'rbac.permission'); +create type rbac.ReferenceType as enum ('rbac.subject', 'rbac.role', 'rbac.permission'); create table rbac.reference ( uuid uuid unique default uuid_generate_v4(), - type rbac.referenceType not null + type rbac.ReferenceType not null ); -create or replace function rbac.assertReferenceType(argument varchar, referenceId uuid, expectedType rbac.referenceType) - returns rbac.referenceType +create or replace function rbac.assertReferenceType(argument varchar, referenceId uuid, expectedType rbac.ReferenceType) + returns rbac.ReferenceType language plpgsql as $$ declare - actualType rbac.referenceType; + actualType rbac.ReferenceType; begin if referenceId is null then raise exception '% must be a % and not null', argument, expectedType; @@ -161,9 +161,6 @@ end; $$; -- ============================================================================ --changeset rbac-base-ROLE:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -/* - - */ create type rbac.RoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST', 'REFERRER'); @@ -177,7 +174,7 @@ create table rbac.role call base.create_journal('rbac.role'); -create type RbacRoleDescriptor as +create type rbac.RoleDescriptor as ( objectTable varchar(63), -- for human readability and easier debugging objectUuid uuid, @@ -185,14 +182,14 @@ create type RbacRoleDescriptor as assumed boolean ); -create or replace function assumed() +create or replace function rbac.assumed() returns boolean stable -- leakproof language sql as $$ select true; $$; -create or replace function unassumed() +create or replace function rbac.unassumed() returns boolean stable -- leakproof language sql as $$ @@ -203,14 +200,14 @@ $$; create or replace function roleDescriptor( objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType, assumed boolean = true) -- just for DSL readability, belongs actually to the grant - returns RbacRoleDescriptor + returns rbac.RoleDescriptor returns null on null input stable -- leakproof language sql as $$ select objectTable, objectUuid, roleType::rbac.RoleType, assumed; $$; -create or replace function createRole(roleDescriptor RbacRoleDescriptor) +create or replace function createRole(roleDescriptor rbac.RoleDescriptor) returns uuid returns null on null input language plpgsql as $$ @@ -264,14 +261,14 @@ begin return roleUuid; end; $$; -create or replace function findRoleId(roleDescriptor RbacRoleDescriptor) +create or replace function findRoleId(roleDescriptor rbac.RoleDescriptor) returns uuid returns null on null input language sql as $$ select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType; $$; -create or replace function getRoleId(roleDescriptor RbacRoleDescriptor) +create or replace function getRoleId(roleDescriptor rbac.RoleDescriptor) returns uuid language plpgsql as $$ declare @@ -602,7 +599,7 @@ begin end; $$; -create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc RbacRoleDescriptor) +create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor) language plpgsql as $$ begin call grantPermissionToRole(permissionUuid, findRoleId(roleDesc)); @@ -626,7 +623,7 @@ begin end; $$; -create or replace procedure grantRoleToRole(subRole RbacRoleDescriptor, superRole RbacRoleDescriptor, doAssume bool = true) +create or replace procedure grantRoleToRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor, doAssume bool = true) language plpgsql as $$ declare superRoleId uuid; @@ -653,7 +650,7 @@ begin on conflict do nothing; -- allow granting multiple times end; $$; -create or replace procedure revokeRoleFromRole(subRole RbacRoleDescriptor, superRole RbacRoleDescriptor) +create or replace procedure revokeRoleFromRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor) language plpgsql as $$ declare superRoleId uuid; @@ -673,7 +670,7 @@ begin end if; end; $$; -create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor) +create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole rbac.RoleDescriptor) language plpgsql as $$ declare superRoleId uuid; diff --git a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql index 130bf547..610040f8 100644 --- a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql +++ b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql @@ -114,7 +114,7 @@ create or replace view rbacgrants_ev as */ drop view if exists rbacgrants_rv; create or replace view rbacgrants_rv as - -- @formatter:off +-- @formatter:off select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName, g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed, g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid, diff --git a/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql b/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql index 84ab8cf7..7adf4adc 100644 --- a/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql +++ b/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql @@ -7,12 +7,12 @@ -- ----------------------------------------------------------------- create or replace function rbac.defineRoleWithGrants( - roleDescriptor RbacRoleDescriptor, + roleDescriptor rbac.RoleDescriptor, permissions RbacOp[] = array[]::RbacOp[], - incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[], - outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[], + incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[], + outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[], subjectUuids uuid[] = array[]::uuid[], - grantedByRole RbacRoleDescriptor = null + grantedByRole rbac.RoleDescriptor = null ) returns uuid called on null input @@ -21,8 +21,8 @@ declare roleUuid uuid; permission RbacOp; permissionUuid uuid; - subRoleDesc RbacRoleDescriptor; - superRoleDesc RbacRoleDescriptor; + subRoleDesc rbac.RoleDescriptor; + superRoleDesc rbac.RoleDescriptor; subRoleUuid uuid; superRoleUuid uuid; subjectUuid uuid; diff --git a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql index 25c3d9a7..d1f19dae 100644 --- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql +++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql @@ -42,7 +42,7 @@ declare begin sql = format($sql$ create or replace function %1$sOwner(entity %2$s, assumed boolean = true) - returns RbacRoleDescriptor + returns rbac.RoleDescriptor language plpgsql strict as $f$ begin @@ -50,7 +50,7 @@ begin end; $f$; create or replace function %1$sAdmin(entity %2$s, assumed boolean = true) - returns RbacRoleDescriptor + returns rbac.RoleDescriptor language plpgsql strict as $f$ begin @@ -58,7 +58,7 @@ begin end; $f$; create or replace function %1$sAgent(entity %2$s, assumed boolean = true) - returns RbacRoleDescriptor + returns rbac.RoleDescriptor language plpgsql strict as $f$ begin @@ -66,7 +66,7 @@ begin end; $f$; create or replace function %1$sTenant(entity %2$s, assumed boolean = true) - returns RbacRoleDescriptor + returns rbac.RoleDescriptor language plpgsql strict as $f$ begin @@ -75,7 +75,7 @@ begin -- TODO: remove guest role create or replace function %1$sGuest(entity %2$s, assumed boolean = true) - returns RbacRoleDescriptor + returns rbac.RoleDescriptor language plpgsql strict as $f$ begin @@ -83,7 +83,7 @@ begin end; $f$; create or replace function %1$sReferrer(entity %2$s) - returns RbacRoleDescriptor + returns rbac.RoleDescriptor language plpgsql strict as $f$ begin diff --git a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql index f12f0a4a..ada5f5dc 100644 --- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql +++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql @@ -110,7 +110,7 @@ commit; A rbac.Global administrator role. */ create or replace function globalAdmin(assumed boolean = true) - returns RbacRoleDescriptor + returns rbac.RoleDescriptor returns null on null input stable -- leakproof language sql as $$ @@ -131,7 +131,7 @@ commit; A rbac.Global guest role. */ create or replace function globalGuest(assumed boolean = true) - returns RbacRoleDescriptor + returns rbac.RoleDescriptor returns null on null input stable -- leakproof language sql as $$ @@ -149,7 +149,7 @@ commit; --changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--// -- ---------------------------------------------------------------------------- /* - Create two users and assign both to the administrators role. + Create two users and assign both to the administrators' role. */ do language plpgsql $$ declare diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql index df106732..21aec61a 100644 --- a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql +++ b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql @@ -37,7 +37,7 @@ begin perform rbac.defineRoleWithGrants( testCustomerOWNER(NEW), permissions => array['DELETE'], - incomingSuperRoles => array[globalADMIN(unassumed())], + incomingSuperRoles => array[globalADMIN(rbac.unassumed())], subjectUuids => array[rbac.currentSubjectUuid()] ); diff --git a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql index 600cff4d..ff6a9054 100644 --- a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql @@ -49,7 +49,7 @@ begin perform rbac.defineRoleWithGrants( hsBookingProjectOWNER(NEW), - incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, unassumed())] + incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, rbac.unassumed())] ); perform rbac.defineRoleWithGrants( diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql index 72357dff..a699bdc1 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql @@ -50,7 +50,7 @@ begin hsHostingAssetOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[ - globalADMIN(unassumed()), + globalADMIN(rbac.unassumed()), hsBookingItemADMIN(newBookingItem), hsHostingAssetADMIN(newParentAsset)], subjectUuids => array[rbac.currentSubjectUuid()]