rbac.RoleDescriptor, rbac.assumed(), rbac.unassumed()

2024-09-14 06:06:54 +02:00 · 2024-09-14 06:06:54 +02:00 · 568c1e9a65
commit 568c1e9a65
parent bb0869cbd4
9 changed files with 36 additions and 39 deletions
--- a/src/main/resources/db/changelog/0-base/010-context.sql
+++ b/src/main/resources/db/changelog/0-base/010-context.sql
@ -128,7 +128,7 @@ end; $$;
 --//
 -- ============================================================================
--changeset context-ASSUMED-ROLES:1 endDelimiter:--//
+--changeset context-base.ASSUMED-ROLES:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 /*
    Returns assumed role names as set in `hsadminng.assumedRoles`
--- a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
+++ b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
@ -6,19 +6,19 @@
 /*
 */
-create type rbac.referenceType as enum ('rbac.subject', 'rbac.role', 'rbac.permission');
+create type rbac.ReferenceType as enum ('rbac.subject', 'rbac.role', 'rbac.permission');
 create table rbac.reference
 (
    uuid uuid unique default uuid_generate_v4(),
-    type rbac.referenceType not null
+    type rbac.ReferenceType not null
 );
-create or replace function rbac.assertReferenceType(argument varchar, referenceId uuid, expectedType rbac.referenceType)
+create or replace function rbac.assertReferenceType(argument varchar, referenceId uuid, expectedType rbac.ReferenceType)
-    returns rbac.referenceType
+    returns rbac.ReferenceType
    language plpgsql as $$
 declare
-    actualType rbac.referenceType;
+    actualType rbac.ReferenceType;
 begin
    if referenceId is null then
        raise exception '% must be a % and not null', argument, expectedType;
@ -161,9 +161,6 @@ end; $$;
 -- ============================================================================
 --changeset rbac-base-ROLE:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 /*
 */
 create type rbac.RoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST', 'REFERRER');
@ -177,7 +174,7 @@ create table rbac.role
 call base.create_journal('rbac.role');
-create type RbacRoleDescriptor as
+create type rbac.RoleDescriptor as
 (
    objectTable varchar(63), -- for human readability and easier debugging
    objectUuid  uuid,
@ -185,14 +182,14 @@ create type RbacRoleDescriptor as
    assumed     boolean
 );
-create or replace function assumed()
+create or replace function rbac.assumed()
    returns boolean
    stable -- leakproof
    language sql as $$
        select true;
 $$;
-create or replace function unassumed()
+create or replace function rbac.unassumed()
    returns boolean
    stable -- leakproof
    language sql as $$
@ -203,14 +200,14 @@ $$;
 create or replace function roleDescriptor(
        objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType,
        assumed boolean = true) -- just for DSL readability, belongs actually to the grant
-    returns RbacRoleDescriptor
+    returns rbac.RoleDescriptor
    returns null on null input
    stable -- leakproof
    language sql as $$
        select objectTable, objectUuid, roleType::rbac.RoleType, assumed;
 $$;
-create or replace function createRole(roleDescriptor RbacRoleDescriptor)
+create or replace function createRole(roleDescriptor rbac.RoleDescriptor)
    returns uuid
    returns null on null input
    language plpgsql as $$
@ -264,14 +261,14 @@ begin
    return roleUuid;
 end; $$;
-create or replace function findRoleId(roleDescriptor RbacRoleDescriptor)
+create or replace function findRoleId(roleDescriptor rbac.RoleDescriptor)
    returns uuid
    returns null on null input
    language sql as $$
 select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType;
 $$;
-create or replace function getRoleId(roleDescriptor RbacRoleDescriptor)
+create or replace function getRoleId(roleDescriptor rbac.RoleDescriptor)
    returns uuid
    language plpgsql as $$
 declare
@ -602,7 +599,7 @@ begin
 end;
 $$;
-create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc RbacRoleDescriptor)
+create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
    language plpgsql as $$
 begin
    call grantPermissionToRole(permissionUuid, findRoleId(roleDesc));
@ -626,7 +623,7 @@ begin
 end; $$;
-create or replace procedure grantRoleToRole(subRole RbacRoleDescriptor, superRole RbacRoleDescriptor, doAssume bool = true)
+create or replace procedure grantRoleToRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor, doAssume bool = true)
    language plpgsql as $$
 declare
    superRoleId uuid;
@ -653,7 +650,7 @@ begin
    on conflict do nothing; -- allow granting multiple times
 end; $$;
-create or replace procedure revokeRoleFromRole(subRole RbacRoleDescriptor, superRole RbacRoleDescriptor)
+create or replace procedure revokeRoleFromRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor)
    language plpgsql as $$
 declare
    superRoleId uuid;
@ -673,7 +670,7 @@ begin
    end if;
 end; $$;
-create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor)
+create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole rbac.RoleDescriptor)
    language plpgsql as $$
 declare
    superRoleId uuid;
--- a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql
+++ b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql
@ -114,7 +114,7 @@ create or replace view rbacgrants_ev as
 */
 drop view if exists rbacgrants_rv;
 create or replace view rbacgrants_rv as
-    -- @formatter:off
+-- @formatter:off
 select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
       g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
       g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid,
--- a/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql
+++ b/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql
@ -7,12 +7,12 @@
 -- -----------------------------------------------------------------
 create or replace function rbac.defineRoleWithGrants(
-    roleDescriptor RbacRoleDescriptor,
+    roleDescriptor rbac.RoleDescriptor,
    permissions RbacOp[] = array[]::RbacOp[],
-    incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
+    incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
-    outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
+    outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
    subjectUuids uuid[] = array[]::uuid[],
-    grantedByRole RbacRoleDescriptor = null
+    grantedByRole rbac.RoleDescriptor = null
 )
    returns uuid
    called on null input
@ -21,8 +21,8 @@ declare
    roleUuid                uuid;
    permission              RbacOp;
    permissionUuid          uuid;
-    subRoleDesc             RbacRoleDescriptor;
+    subRoleDesc             rbac.RoleDescriptor;
-    superRoleDesc           RbacRoleDescriptor;
+    superRoleDesc           rbac.RoleDescriptor;
    subRoleUuid             uuid;
    superRoleUuid           uuid;
    subjectUuid             uuid;
--- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
+++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
@ -42,7 +42,7 @@ declare
 begin
    sql = format($sql$
        create or replace function %1$sOwner(entity %2$s, assumed boolean = true)
-            returns RbacRoleDescriptor
+            returns rbac.RoleDescriptor
            language plpgsql
            strict as $f$
        begin
@ -50,7 +50,7 @@ begin
        end; $f$;
        create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
-            returns RbacRoleDescriptor
+            returns rbac.RoleDescriptor
            language plpgsql
            strict as $f$
        begin
@ -58,7 +58,7 @@ begin
        end; $f$;
        create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
-            returns RbacRoleDescriptor
+            returns rbac.RoleDescriptor
            language plpgsql
            strict as $f$
        begin
@ -66,7 +66,7 @@ begin
        end; $f$;
        create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
-            returns RbacRoleDescriptor
+            returns rbac.RoleDescriptor
            language plpgsql
            strict as $f$
        begin
@ -75,7 +75,7 @@ begin
        -- TODO: remove guest role
        create or replace function %1$sGuest(entity %2$s, assumed boolean = true)
-            returns RbacRoleDescriptor
+            returns rbac.RoleDescriptor
            language plpgsql
            strict as $f$
        begin
@ -83,7 +83,7 @@ begin
        end; $f$;
        create or replace function %1$sReferrer(entity %2$s)
-            returns RbacRoleDescriptor
+            returns rbac.RoleDescriptor
            language plpgsql
            strict as $f$
        begin
--- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
+++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
@ -110,7 +110,7 @@ commit;
    A rbac.Global administrator role.
 */
 create or replace function globalAdmin(assumed boolean = true)
-    returns RbacRoleDescriptor
+    returns rbac.RoleDescriptor
    returns null on null input
    stable -- leakproof
    language sql as $$
@ -131,7 +131,7 @@ commit;
    A rbac.Global guest role.
 */
 create or replace function globalGuest(assumed boolean = true)
-    returns RbacRoleDescriptor
+    returns rbac.RoleDescriptor
    returns null on null input
    stable -- leakproof
    language sql as $$
@ -149,7 +149,7 @@ commit;
 --changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
 -- ----------------------------------------------------------------------------
 /*
-    Create two users and assign both to the administrators role.
+    Create two users and assign both to the administrators' role.
 */
 do language plpgsql $$
    declare
--- a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql
+++ b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql
@ -37,7 +37,7 @@ begin
    perform rbac.defineRoleWithGrants(
        testCustomerOWNER(NEW),
            permissions => array['DELETE'],
-            incomingSuperRoles => array[globalADMIN(unassumed())],
+            incomingSuperRoles => array[globalADMIN(rbac.unassumed())],
            subjectUuids => array[rbac.currentSubjectUuid()]
    );
--- a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql
+++ b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql
@ -49,7 +49,7 @@ begin
    perform rbac.defineRoleWithGrants(
        hsBookingProjectOWNER(NEW),
-            incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, unassumed())]
+            incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, rbac.unassumed())]
    );
    perform rbac.defineRoleWithGrants(
--- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql
+++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql
@ -50,7 +50,7 @@ begin
        hsHostingAssetOWNER(NEW),
            permissions => array['DELETE'],
            incomingSuperRoles => array[
-            	globalADMIN(unassumed()),
+            	globalADMIN(rbac.unassumed()),
            	hsBookingItemADMIN(newBookingItem),
            	hsHostingAssetADMIN(newParentAsset)],
            subjectUuids => array[rbac.currentSubjectUuid()]