rbac.RoleDescriptor, rbac.assumed(), rbac.unassumed()

This commit is contained in:
Michael Hoennig 2024-09-14 06:06:54 +02:00
parent bb0869cbd4
commit 568c1e9a65
9 changed files with 36 additions and 39 deletions

View File

@ -128,7 +128,7 @@ end; $$;
--//
-- ============================================================================
--changeset context-ASSUMED-ROLES:1 endDelimiter:--//
--changeset context-base.ASSUMED-ROLES:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Returns assumed role names as set in `hsadminng.assumedRoles`

View File

@ -6,19 +6,19 @@
/*
*/
create type rbac.referenceType as enum ('rbac.subject', 'rbac.role', 'rbac.permission');
create type rbac.ReferenceType as enum ('rbac.subject', 'rbac.role', 'rbac.permission');
create table rbac.reference
(
uuid uuid unique default uuid_generate_v4(),
type rbac.referenceType not null
type rbac.ReferenceType not null
);
create or replace function rbac.assertReferenceType(argument varchar, referenceId uuid, expectedType rbac.referenceType)
returns rbac.referenceType
create or replace function rbac.assertReferenceType(argument varchar, referenceId uuid, expectedType rbac.ReferenceType)
returns rbac.ReferenceType
language plpgsql as $$
declare
actualType rbac.referenceType;
actualType rbac.ReferenceType;
begin
if referenceId is null then
raise exception '% must be a % and not null', argument, expectedType;
@ -161,9 +161,6 @@ end; $$;
-- ============================================================================
--changeset rbac-base-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
create type rbac.RoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST', 'REFERRER');
@ -177,7 +174,7 @@ create table rbac.role
call base.create_journal('rbac.role');
create type RbacRoleDescriptor as
create type rbac.RoleDescriptor as
(
objectTable varchar(63), -- for human readability and easier debugging
objectUuid uuid,
@ -185,14 +182,14 @@ create type RbacRoleDescriptor as
assumed boolean
);
create or replace function assumed()
create or replace function rbac.assumed()
returns boolean
stable -- leakproof
language sql as $$
select true;
$$;
create or replace function unassumed()
create or replace function rbac.unassumed()
returns boolean
stable -- leakproof
language sql as $$
@ -203,14 +200,14 @@ $$;
create or replace function roleDescriptor(
objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType,
assumed boolean = true) -- just for DSL readability, belongs actually to the grant
returns RbacRoleDescriptor
returns rbac.RoleDescriptor
returns null on null input
stable -- leakproof
language sql as $$
select objectTable, objectUuid, roleType::rbac.RoleType, assumed;
$$;
create or replace function createRole(roleDescriptor RbacRoleDescriptor)
create or replace function createRole(roleDescriptor rbac.RoleDescriptor)
returns uuid
returns null on null input
language plpgsql as $$
@ -264,14 +261,14 @@ begin
return roleUuid;
end; $$;
create or replace function findRoleId(roleDescriptor RbacRoleDescriptor)
create or replace function findRoleId(roleDescriptor rbac.RoleDescriptor)
returns uuid
returns null on null input
language sql as $$
select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType;
$$;
create or replace function getRoleId(roleDescriptor RbacRoleDescriptor)
create or replace function getRoleId(roleDescriptor rbac.RoleDescriptor)
returns uuid
language plpgsql as $$
declare
@ -602,7 +599,7 @@ begin
end;
$$;
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc RbacRoleDescriptor)
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
language plpgsql as $$
begin
call grantPermissionToRole(permissionUuid, findRoleId(roleDesc));
@ -626,7 +623,7 @@ begin
end; $$;
create or replace procedure grantRoleToRole(subRole RbacRoleDescriptor, superRole RbacRoleDescriptor, doAssume bool = true)
create or replace procedure grantRoleToRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor, doAssume bool = true)
language plpgsql as $$
declare
superRoleId uuid;
@ -653,7 +650,7 @@ begin
on conflict do nothing; -- allow granting multiple times
end; $$;
create or replace procedure revokeRoleFromRole(subRole RbacRoleDescriptor, superRole RbacRoleDescriptor)
create or replace procedure revokeRoleFromRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor)
language plpgsql as $$
declare
superRoleId uuid;
@ -673,7 +670,7 @@ begin
end if;
end; $$;
create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor)
create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole rbac.RoleDescriptor)
language plpgsql as $$
declare
superRoleId uuid;

View File

@ -7,12 +7,12 @@
-- -----------------------------------------------------------------
create or replace function rbac.defineRoleWithGrants(
roleDescriptor RbacRoleDescriptor,
roleDescriptor rbac.RoleDescriptor,
permissions RbacOp[] = array[]::RbacOp[],
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
subjectUuids uuid[] = array[]::uuid[],
grantedByRole RbacRoleDescriptor = null
grantedByRole rbac.RoleDescriptor = null
)
returns uuid
called on null input
@ -21,8 +21,8 @@ declare
roleUuid uuid;
permission RbacOp;
permissionUuid uuid;
subRoleDesc RbacRoleDescriptor;
superRoleDesc RbacRoleDescriptor;
subRoleDesc rbac.RoleDescriptor;
superRoleDesc rbac.RoleDescriptor;
subRoleUuid uuid;
superRoleUuid uuid;
subjectUuid uuid;

View File

@ -42,7 +42,7 @@ declare
begin
sql = format($sql$
create or replace function %1$sOwner(entity %2$s, assumed boolean = true)
returns RbacRoleDescriptor
returns rbac.RoleDescriptor
language plpgsql
strict as $f$
begin
@ -50,7 +50,7 @@ begin
end; $f$;
create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
returns RbacRoleDescriptor
returns rbac.RoleDescriptor
language plpgsql
strict as $f$
begin
@ -58,7 +58,7 @@ begin
end; $f$;
create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
returns RbacRoleDescriptor
returns rbac.RoleDescriptor
language plpgsql
strict as $f$
begin
@ -66,7 +66,7 @@ begin
end; $f$;
create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
returns RbacRoleDescriptor
returns rbac.RoleDescriptor
language plpgsql
strict as $f$
begin
@ -75,7 +75,7 @@ begin
-- TODO: remove guest role
create or replace function %1$sGuest(entity %2$s, assumed boolean = true)
returns RbacRoleDescriptor
returns rbac.RoleDescriptor
language plpgsql
strict as $f$
begin
@ -83,7 +83,7 @@ begin
end; $f$;
create or replace function %1$sReferrer(entity %2$s)
returns RbacRoleDescriptor
returns rbac.RoleDescriptor
language plpgsql
strict as $f$
begin

View File

@ -110,7 +110,7 @@ commit;
A rbac.Global administrator role.
*/
create or replace function globalAdmin(assumed boolean = true)
returns RbacRoleDescriptor
returns rbac.RoleDescriptor
returns null on null input
stable -- leakproof
language sql as $$
@ -131,7 +131,7 @@ commit;
A rbac.Global guest role.
*/
create or replace function globalGuest(assumed boolean = true)
returns RbacRoleDescriptor
returns rbac.RoleDescriptor
returns null on null input
stable -- leakproof
language sql as $$
@ -149,7 +149,7 @@ commit;
--changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Create two users and assign both to the administrators role.
Create two users and assign both to the administrators' role.
*/
do language plpgsql $$
declare

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants(
testCustomerOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN(unassumed())],
incomingSuperRoles => array[globalADMIN(rbac.unassumed())],
subjectUuids => array[rbac.currentSubjectUuid()]
);

View File

@ -49,7 +49,7 @@ begin
perform rbac.defineRoleWithGrants(
hsBookingProjectOWNER(NEW),
incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, unassumed())]
incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, rbac.unassumed())]
);
perform rbac.defineRoleWithGrants(

View File

@ -50,7 +50,7 @@ begin
hsHostingAssetOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[
globalADMIN(unassumed()),
globalADMIN(rbac.unassumed()),
hsBookingItemADMIN(newBookingItem),
hsHostingAssetADMIN(newParentAsset)],
subjectUuids => array[rbac.currentSubjectUuid()]