rbac.RoleDescriptor, rbac.assumed(), rbac.unassumed()
This commit is contained in:
parent
bb0869cbd4
commit
568c1e9a65
@ -128,7 +128,7 @@ end; $$;
|
||||
--//
|
||||
|
||||
-- ============================================================================
|
||||
--changeset context-ASSUMED-ROLES:1 endDelimiter:--//
|
||||
--changeset context-base.ASSUMED-ROLES:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Returns assumed role names as set in `hsadminng.assumedRoles`
|
||||
|
@ -6,19 +6,19 @@
|
||||
/*
|
||||
|
||||
*/
|
||||
create type rbac.referenceType as enum ('rbac.subject', 'rbac.role', 'rbac.permission');
|
||||
create type rbac.ReferenceType as enum ('rbac.subject', 'rbac.role', 'rbac.permission');
|
||||
|
||||
create table rbac.reference
|
||||
(
|
||||
uuid uuid unique default uuid_generate_v4(),
|
||||
type rbac.referenceType not null
|
||||
type rbac.ReferenceType not null
|
||||
);
|
||||
|
||||
create or replace function rbac.assertReferenceType(argument varchar, referenceId uuid, expectedType rbac.referenceType)
|
||||
returns rbac.referenceType
|
||||
create or replace function rbac.assertReferenceType(argument varchar, referenceId uuid, expectedType rbac.ReferenceType)
|
||||
returns rbac.ReferenceType
|
||||
language plpgsql as $$
|
||||
declare
|
||||
actualType rbac.referenceType;
|
||||
actualType rbac.ReferenceType;
|
||||
begin
|
||||
if referenceId is null then
|
||||
raise exception '% must be a % and not null', argument, expectedType;
|
||||
@ -161,9 +161,6 @@ end; $$;
|
||||
-- ============================================================================
|
||||
--changeset rbac-base-ROLE:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
|
||||
*/
|
||||
|
||||
create type rbac.RoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST', 'REFERRER');
|
||||
|
||||
@ -177,7 +174,7 @@ create table rbac.role
|
||||
|
||||
call base.create_journal('rbac.role');
|
||||
|
||||
create type RbacRoleDescriptor as
|
||||
create type rbac.RoleDescriptor as
|
||||
(
|
||||
objectTable varchar(63), -- for human readability and easier debugging
|
||||
objectUuid uuid,
|
||||
@ -185,14 +182,14 @@ create type RbacRoleDescriptor as
|
||||
assumed boolean
|
||||
);
|
||||
|
||||
create or replace function assumed()
|
||||
create or replace function rbac.assumed()
|
||||
returns boolean
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
select true;
|
||||
$$;
|
||||
|
||||
create or replace function unassumed()
|
||||
create or replace function rbac.unassumed()
|
||||
returns boolean
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
@ -203,14 +200,14 @@ $$;
|
||||
create or replace function roleDescriptor(
|
||||
objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType,
|
||||
assumed boolean = true) -- just for DSL readability, belongs actually to the grant
|
||||
returns RbacRoleDescriptor
|
||||
returns rbac.RoleDescriptor
|
||||
returns null on null input
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
select objectTable, objectUuid, roleType::rbac.RoleType, assumed;
|
||||
$$;
|
||||
|
||||
create or replace function createRole(roleDescriptor RbacRoleDescriptor)
|
||||
create or replace function createRole(roleDescriptor rbac.RoleDescriptor)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
@ -264,14 +261,14 @@ begin
|
||||
return roleUuid;
|
||||
end; $$;
|
||||
|
||||
create or replace function findRoleId(roleDescriptor RbacRoleDescriptor)
|
||||
create or replace function findRoleId(roleDescriptor rbac.RoleDescriptor)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
language sql as $$
|
||||
select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType;
|
||||
$$;
|
||||
|
||||
create or replace function getRoleId(roleDescriptor RbacRoleDescriptor)
|
||||
create or replace function getRoleId(roleDescriptor rbac.RoleDescriptor)
|
||||
returns uuid
|
||||
language plpgsql as $$
|
||||
declare
|
||||
@ -602,7 +599,7 @@ begin
|
||||
end;
|
||||
$$;
|
||||
|
||||
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc RbacRoleDescriptor)
|
||||
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
|
||||
language plpgsql as $$
|
||||
begin
|
||||
call grantPermissionToRole(permissionUuid, findRoleId(roleDesc));
|
||||
@ -626,7 +623,7 @@ begin
|
||||
end; $$;
|
||||
|
||||
|
||||
create or replace procedure grantRoleToRole(subRole RbacRoleDescriptor, superRole RbacRoleDescriptor, doAssume bool = true)
|
||||
create or replace procedure grantRoleToRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor, doAssume bool = true)
|
||||
language plpgsql as $$
|
||||
declare
|
||||
superRoleId uuid;
|
||||
@ -653,7 +650,7 @@ begin
|
||||
on conflict do nothing; -- allow granting multiple times
|
||||
end; $$;
|
||||
|
||||
create or replace procedure revokeRoleFromRole(subRole RbacRoleDescriptor, superRole RbacRoleDescriptor)
|
||||
create or replace procedure revokeRoleFromRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor)
|
||||
language plpgsql as $$
|
||||
declare
|
||||
superRoleId uuid;
|
||||
@ -673,7 +670,7 @@ begin
|
||||
end if;
|
||||
end; $$;
|
||||
|
||||
create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor)
|
||||
create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole rbac.RoleDescriptor)
|
||||
language plpgsql as $$
|
||||
declare
|
||||
superRoleId uuid;
|
||||
|
@ -114,7 +114,7 @@ create or replace view rbacgrants_ev as
|
||||
*/
|
||||
drop view if exists rbacgrants_rv;
|
||||
create or replace view rbacgrants_rv as
|
||||
-- @formatter:off
|
||||
-- @formatter:off
|
||||
select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
||||
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid,
|
||||
|
@ -7,12 +7,12 @@
|
||||
-- -----------------------------------------------------------------
|
||||
|
||||
create or replace function rbac.defineRoleWithGrants(
|
||||
roleDescriptor RbacRoleDescriptor,
|
||||
roleDescriptor rbac.RoleDescriptor,
|
||||
permissions RbacOp[] = array[]::RbacOp[],
|
||||
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
|
||||
outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
|
||||
incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
|
||||
outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
|
||||
subjectUuids uuid[] = array[]::uuid[],
|
||||
grantedByRole RbacRoleDescriptor = null
|
||||
grantedByRole rbac.RoleDescriptor = null
|
||||
)
|
||||
returns uuid
|
||||
called on null input
|
||||
@ -21,8 +21,8 @@ declare
|
||||
roleUuid uuid;
|
||||
permission RbacOp;
|
||||
permissionUuid uuid;
|
||||
subRoleDesc RbacRoleDescriptor;
|
||||
superRoleDesc RbacRoleDescriptor;
|
||||
subRoleDesc rbac.RoleDescriptor;
|
||||
superRoleDesc rbac.RoleDescriptor;
|
||||
subRoleUuid uuid;
|
||||
superRoleUuid uuid;
|
||||
subjectUuid uuid;
|
||||
|
@ -42,7 +42,7 @@ declare
|
||||
begin
|
||||
sql = format($sql$
|
||||
create or replace function %1$sOwner(entity %2$s, assumed boolean = true)
|
||||
returns RbacRoleDescriptor
|
||||
returns rbac.RoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
@ -50,7 +50,7 @@ begin
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
|
||||
returns RbacRoleDescriptor
|
||||
returns rbac.RoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
@ -58,7 +58,7 @@ begin
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
|
||||
returns RbacRoleDescriptor
|
||||
returns rbac.RoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
@ -66,7 +66,7 @@ begin
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
|
||||
returns RbacRoleDescriptor
|
||||
returns rbac.RoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
@ -75,7 +75,7 @@ begin
|
||||
|
||||
-- TODO: remove guest role
|
||||
create or replace function %1$sGuest(entity %2$s, assumed boolean = true)
|
||||
returns RbacRoleDescriptor
|
||||
returns rbac.RoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
@ -83,7 +83,7 @@ begin
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sReferrer(entity %2$s)
|
||||
returns RbacRoleDescriptor
|
||||
returns rbac.RoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
|
@ -110,7 +110,7 @@ commit;
|
||||
A rbac.Global administrator role.
|
||||
*/
|
||||
create or replace function globalAdmin(assumed boolean = true)
|
||||
returns RbacRoleDescriptor
|
||||
returns rbac.RoleDescriptor
|
||||
returns null on null input
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
@ -131,7 +131,7 @@ commit;
|
||||
A rbac.Global guest role.
|
||||
*/
|
||||
create or replace function globalGuest(assumed boolean = true)
|
||||
returns RbacRoleDescriptor
|
||||
returns rbac.RoleDescriptor
|
||||
returns null on null input
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
@ -149,7 +149,7 @@ commit;
|
||||
--changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Create two users and assign both to the administrators role.
|
||||
Create two users and assign both to the administrators' role.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
|
@ -37,7 +37,7 @@ begin
|
||||
perform rbac.defineRoleWithGrants(
|
||||
testCustomerOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[globalADMIN(unassumed())],
|
||||
incomingSuperRoles => array[globalADMIN(rbac.unassumed())],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
);
|
||||
|
||||
|
@ -49,7 +49,7 @@ begin
|
||||
|
||||
perform rbac.defineRoleWithGrants(
|
||||
hsBookingProjectOWNER(NEW),
|
||||
incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, unassumed())]
|
||||
incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, rbac.unassumed())]
|
||||
);
|
||||
|
||||
perform rbac.defineRoleWithGrants(
|
||||
|
@ -50,7 +50,7 @@ begin
|
||||
hsHostingAssetOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[
|
||||
globalADMIN(unassumed()),
|
||||
globalADMIN(rbac.unassumed()),
|
||||
hsBookingItemADMIN(newBookingItem),
|
||||
hsHostingAssetADMIN(newParentAsset)],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
|
Loading…
Reference in New Issue
Block a user