rename table rbac.grants -> rbac.grant for consistent naming (#141)

Co-authored-by: Michael Hoennig <michael@hoennig.de>
Reviewed-on: #141
Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net>
This commit is contained in:
Michael Hoennig 2025-01-02 12:39:18 +01:00
parent 71be87b36b
commit 6dafe0a7bb
28 changed files with 116 additions and 118 deletions

View File

@ -1,7 +1,6 @@
package net.hostsharing.hsadminng.hs.office.person; package net.hostsharing.hsadminng.hs.office.person;
import lombok.*; import lombok.*;
import lombok.experimental.FieldNameConstants;
import lombok.experimental.SuperBuilder; import lombok.experimental.SuperBuilder;
import net.hostsharing.hsadminng.errors.DisplayAs; import net.hostsharing.hsadminng.errors.DisplayAs;
import net.hostsharing.hsadminng.rbac.generator.RbacSpec; import net.hostsharing.hsadminng.rbac.generator.RbacSpec;
@ -22,7 +21,6 @@ import static net.hostsharing.hsadminng.rbac.generator.RbacSpec.rbacViewFor;
@Setter @Setter
@NoArgsConstructor @NoArgsConstructor
@SuperBuilder(toBuilder = true) @SuperBuilder(toBuilder = true)
@FieldNameConstants
@DisplayAs("RbacPerson") @DisplayAs("RbacPerson")
public class HsOfficePersonRbacEntity extends HsOfficePerson<HsOfficePersonRbacEntity> { public class HsOfficePersonRbacEntity extends HsOfficePerson<HsOfficePersonRbacEntity> {

View File

@ -54,18 +54,18 @@ class RbacRbacSystemRebuildGenerator {
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM ${rawTableName} LOOP FOR row IN SELECT * FROM ${rawTableName} LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL ${rawTableName}_build_rbac_system(row); CALL ${rawTableName}_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -112,7 +112,7 @@ class RolesGrantsAndPermissionsGenerator {
begin begin
if ${updateConditions} then if ${updateConditions} then
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid; delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid;
call ${rawTableQualifiedName}_build_rbac_system(NEW); call ${rawTableQualifiedName}_build_rbac_system(NEW);
end if; end if;
end; $$; end; $$;

View File

@ -12,7 +12,7 @@ import java.util.List;
import java.util.UUID; import java.util.UUID;
@Entity @Entity
@Table(schema = "rbac", name = "grants_ev") @Table(schema = "rbac", name = "grant_ev")
@Getter @Getter
@Setter @Setter
@Builder @Builder

View File

@ -8,7 +8,7 @@ import jakarta.persistence.*;
import java.util.UUID; import java.util.UUID;
@Entity @Entity
@Table(schema = "rbac", name = "grants_rv") @Table(schema = "rbac", name = "grant_rv")
@IdClass(RbacGrantId.class) @IdClass(RbacGrantId.class)
@Getter @Getter
@Setter @Setter

View File

@ -360,7 +360,7 @@ create or replace function rbac.delete_grants_of_role_tf()
strict as $$ strict as $$
begin begin
if TG_OP = 'DELETE' then if TG_OP = 'DELETE' then
delete from rbac.grants g where old.uuid in (g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid); delete from rbac.grant g where old.uuid in (g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid);
else else
raise exception 'invalid usage of TRIGGER BEFORE DELETE'; raise exception 'invalid usage of TRIGGER BEFORE DELETE';
end if; end if;
@ -541,7 +541,7 @@ $$;
/* /*
Table to store grants / role- or permission assignments to subjects or roles. Table to store grants / role- or permission assignments to subjects or roles.
*/ */
create table rbac.grants create table rbac.grant
( (
uuid uuid primary key default uuid_generate_v4(), uuid uuid primary key default uuid_generate_v4(),
grantedByTriggerOf uuid references rbac.object (uuid) on delete cascade initially deferred , grantedByTriggerOf uuid references rbac.object (uuid) on delete cascade initially deferred ,
@ -551,21 +551,21 @@ create table rbac.grants
assumed boolean not null default true, -- auto assumed (true) vs. needs assumeRoles (false) assumed boolean not null default true, -- auto assumed (true) vs. needs assumeRoles (false)
unique (ascendantUuid, descendantUuid), unique (ascendantUuid, descendantUuid),
constraint rbacGrant_createdBy check ( grantedByRoleUuid is null or grantedByTriggerOf is null) ); constraint rbacGrant_createdBy check ( grantedByRoleUuid is null or grantedByTriggerOf is null) );
create index on rbac.grants (ascendantUuid); create index on rbac.grant (ascendantUuid);
create index on rbac.grants (descendantUuid); create index on rbac.grant (descendantUuid);
call base.create_journal('rbac.grants'); call base.create_journal('rbac.grant');
create or replace function rbac.findGrantees(grantedId uuid) create or replace function rbac.findGrantees(grantedId uuid)
returns setof rbac.reference returns setof rbac.reference
returns null on null input returns null on null input
language sql as $$ language sql as $$
with recursive grants as ( with recursive grants as (
select descendantUuid, ascendantUuid select descendantUuid, ascendantUuid
from rbac.grants from rbac.grant
where descendantUuid = grantedId where descendantUuid = grantedId
union all union all
select g.descendantUuid, g.ascendantUuid select g.descendantUuid, g.ascendantUuid
from rbac.grants g from rbac.grant g
inner join grants on grants.ascendantUuid = g.descendantUuid inner join grants on grants.ascendantUuid = g.descendantUuid
) )
select ref.* select ref.*
@ -579,11 +579,11 @@ create or replace function rbac.isGranted(granteeIds uuid[], grantedId uuid)
language sql as $$ language sql as $$
with recursive grants as ( with recursive grants as (
select descendantUuid, ascendantUuid select descendantUuid, ascendantUuid
from rbac.grants from rbac.grant
where descendantUuid = grantedId where descendantUuid = grantedId
union all union all
select "grant".descendantUuid, "grant".ascendantUuid select "grant".descendantUuid, "grant".ascendantUuid
from rbac.grants "grant" from rbac.grant "grant"
inner join grants recur on recur.ascendantUuid = "grant".descendantUuid inner join grants recur on recur.ascendantUuid = "grant".descendantUuid
) )
select exists ( select exists (
@ -605,11 +605,11 @@ create or replace function rbac.isPermissionGrantedToSubject(permissionId uuid,
language sql as $$ language sql as $$
with recursive grants as ( with recursive grants as (
select descendantUuid, ascendantUuid select descendantUuid, ascendantUuid
from rbac.grants from rbac.grant
where descendantUuid = permissionId where descendantUuid = permissionId
union all union all
select g.descendantUuid, g.ascendantUuid select g.descendantUuid, g.ascendantUuid
from rbac.grants g from rbac.grant g
inner join grants on grants.ascendantUuid = g.descendantUuid inner join grants on grants.ascendantUuid = g.descendantUuid
) )
select exists( select exists(
@ -637,7 +637,7 @@ create or replace function rbac.hasGlobalRoleGranted(forAscendantUuid uuid)
language sql as $$ language sql as $$
select exists( select exists(
select r.uuid select r.uuid
from rbac.grants as g from rbac.grant as g
join rbac.role as r on r.uuid = g.descendantuuid join rbac.role as r on r.uuid = g.descendantuuid
join rbac.object as o on o.uuid = r.objectuuid join rbac.object as o on o.uuid = r.objectuuid
where g.ascendantuuid = forAscendantUuid where g.ascendantuuid = forAscendantUuid
@ -652,7 +652,7 @@ begin
perform rbac.assertReferenceType('permissionId (descendant)', permissionUuid, 'rbac.permission'); perform rbac.assertReferenceType('permissionId (descendant)', permissionUuid, 'rbac.permission');
insert insert
into rbac.grants (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed) into rbac.grant (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed)
values (rbac.currentTriggerObjectUuid(), roleUuid, permissionUuid, true) values (rbac.currentTriggerObjectUuid(), roleUuid, permissionUuid, true)
on conflict do nothing; -- allow granting multiple times on conflict do nothing; -- allow granting multiple times
end; end;
@ -676,7 +676,7 @@ begin
end if; end if;
insert insert
into rbac.grants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed) into rbac.grant (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
values (rbac.currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume) values (rbac.currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume)
on conflict do nothing; -- allow granting multiple times on conflict do nothing; -- allow granting multiple times
end; $$; end; $$;
@ -704,7 +704,7 @@ begin
end if; end if;
insert insert
into rbac.grants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed) into rbac.grant (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
values (rbac.currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume) values (rbac.currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume)
on conflict do nothing; -- allow granting multiple times on conflict do nothing; -- allow granting multiple times
end; $$; end; $$;
@ -722,7 +722,7 @@ begin
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role'); perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
if (rbac.isGranted(superRoleId, subRoleId)) then if (rbac.isGranted(superRoleId, subRoleId)) then
delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = subRoleId; delete from rbac.grant where ascendantUuid = superRoleId and descendantUuid = subRoleId;
else else
raise exception 'cannot revoke role % (%) from % (%) because it is not granted', raise exception 'cannot revoke role % (%) from % (%) because it is not granted',
subRole, subRoleId, superRole, superRoleId; subRole, subRoleId, superRole, superRoleId;
@ -743,10 +743,10 @@ begin
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission'); perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
if (rbac.isGranted(superRoleId, permissionId)) then if (rbac.isGranted(superRoleId, permissionId)) then
delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = permissionId; delete from rbac.grant where ascendantUuid = superRoleId and descendantUuid = permissionId;
else else
select p.op, o.objectTable, o.uuid select p.op, o.objectTable, o.uuid
from rbac.grants g from rbac.grant g
join rbac.permission p on p.uuid=g.descendantUuid join rbac.permission p on p.uuid=g.descendantUuid
join rbac.object o on o.uuid=p.objectUuid join rbac.object o on o.uuid=p.objectUuid
where g.uuid=permissionId where g.uuid=permissionId
@ -777,12 +777,12 @@ begin
return query return query
WITH RECURSIVE grants AS ( WITH RECURSIVE grants AS (
SELECT descendantUuid, ascendantUuid, 1 AS level SELECT descendantUuid, ascendantUuid, 1 AS level
FROM rbac.grants FROM rbac.grant
WHERE assumed WHERE assumed
AND ascendantUuid = any(subjectIds) AND ascendantUuid = any(subjectIds)
UNION ALL UNION ALL
SELECT g.descendantUuid, g.ascendantUuid, grants.level + 1 AS level SELECT g.descendantUuid, g.ascendantUuid, grants.level + 1 AS level
FROM rbac.grants g FROM rbac.grant g
INNER JOIN grants ON grants.descendantUuid = g.ascendantUuid INNER JOIN grants ON grants.descendantUuid = g.ascendantUuid
WHERE g.assumed WHERE g.assumed
), ),
@ -821,11 +821,11 @@ create or replace function rbac.queryPermissionsGrantedToSubjectId(subjectId uui
language sql as $$ language sql as $$
with recursive grants as ( with recursive grants as (
select descendantUuid, ascendantUuid select descendantUuid, ascendantUuid
from rbac.grants from rbac.grant
where ascendantUuid = subjectId where ascendantUuid = subjectId
union all union all
select g.descendantUuid, g.ascendantUuid select g.descendantUuid, g.ascendantUuid
from rbac.grants g from rbac.grant g
inner join grants on grants.descendantUuid = g.ascendantUuid inner join grants on grants.descendantUuid = g.ascendantUuid
) )
select perm.* select perm.*
@ -855,11 +855,11 @@ select *
-- @formatter:off -- @formatter:off
with recursive grants as ( with recursive grants as (
select descendantUuid, ascendantUuid select descendantUuid, ascendantUuid
from rbac.grants from rbac.grant
where descendantUuid = objectId where descendantUuid = objectId
union all union all
select "grant".descendantUuid, "grant".ascendantUuid select "grant".descendantUuid, "grant".ascendantUuid
from rbac.grants "grant" from rbac.grant "grant"
inner join grants recur on recur.ascendantUuid = "grant".descendantUuid inner join grants recur on recur.ascendantUuid = "grant".descendantUuid
) )
-- @formatter:on -- @formatter:on

View File

@ -28,7 +28,7 @@ begin
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject'); perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');
insert insert
into rbac.grants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) into rbac.grant (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume) values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume)
-- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception? -- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception?
on conflict do nothing; -- allow granting multiple times on conflict do nothing; -- allow granting multiple times
@ -61,7 +61,7 @@ begin
end if; end if;
insert insert
into rbac.grants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) into rbac.grant (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume); values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume);
-- TODO.impl: What should happen on multiple grants? What if options (doAssume) are not the same? -- TODO.impl: What should happen on multiple grants? What if options (doAssume) are not the same?
-- Most powerful or latest grant wins? What about managed? -- Most powerful or latest grant wins? What about managed?
@ -104,8 +104,8 @@ create or replace procedure rbac.revokeRoleFromSubject(grantedByRoleUuid uuid, g
begin begin
call rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid, grantedRoleUuid, subjectUuid); call rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid, grantedRoleUuid, subjectUuid);
raise INFO 'delete from rbac.grants where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid; raise INFO 'delete from rbac.grant where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid;
delete from rbac.grants as g delete from rbac.grant as g
where g.ascendantUuid = subjectUuid and g.descendantUuid = grantedRoleUuid where g.ascendantUuid = subjectUuid and g.descendantUuid = grantedRoleUuid
and g.grantedByRoleUuid = revokeRoleFromSubject.grantedByRoleUuid; and g.grantedByRoleUuid = revokeRoleFromSubject.grantedByRoleUuid;
end; $$; end; $$;
@ -118,8 +118,8 @@ end; $$;
create or replace procedure rbac.revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid) create or replace procedure rbac.revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid)
language plpgsql as $$ language plpgsql as $$
begin begin
raise INFO 'delete from rbac.grants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid; raise INFO 'delete from rbac.grant where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid;
delete from rbac.grants as g delete from rbac.grant as g
where g.ascendantUuid = superRoleUuid and g.descendantUuid = permissionUuid; where g.ascendantUuid = superRoleUuid and g.descendantUuid = permissionUuid;
end; $$; end; $$;
--// --//

View File

@ -52,8 +52,8 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME
Creates a view to the grants table with additional columns Creates a view to the grants table with additional columns
for easier human readability. for easier human readability.
*/ */
drop view if exists rbac.grants_ev; drop view if exists rbac.grant_ev;
create or replace view rbac.grants_ev as create or replace view rbac.grant_ev as
-- @formatter:off -- @formatter:off
select x.grantUuid as uuid, select x.grantUuid as uuid,
x.grantedByTriggerOf as grantedByTriggerOf, x.grantedByTriggerOf as grantedByTriggerOf,
@ -85,7 +85,7 @@ create or replace view rbac.grants_ev as
) as descendingIdName, ) as descendingIdName,
dro.objectTable, dro.uuid, dro.objectTable, dro.uuid,
dp.op, dp.optablename dp.op, dp.optablename
from rbac.grants as g from rbac.grant as g
left outer join rbac.role as ar on ar.uuid = g.ascendantUuid left outer join rbac.role as ar on ar.uuid = g.ascendantUuid
left outer join rbac.object as aro on aro.uuid = ar.objectuuid left outer join rbac.object as aro on aro.uuid = ar.objectuuid
@ -112,7 +112,7 @@ create or replace view rbac.grants_ev as
Creates a view to the grants table with row-level limitation Creates a view to the grants table with row-level limitation
based on the direct grants of the current user. based on the direct grants of the current user.
*/ */
create or replace view rbac.grants_rv as create or replace view rbac.grant_rv as
-- @formatter:off -- @formatter:off
select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName, select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed, g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
@ -122,7 +122,7 @@ select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed, select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
u.name as userName, o.objecttable, r.objectuuid, r.roletype, u.name as userName, o.objecttable, r.objectuuid, r.roletype,
rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
from rbac.grants as g from rbac.grant as g
join rbac.role as r on r.uuid = g.descendantUuid join rbac.role as r on r.uuid = g.descendantUuid
join rbac.object o on o.uuid = r.objectuuid join rbac.object o on o.uuid = r.objectuuid
left outer join rbac.subject u on u.uuid = g.ascendantuuid left outer join rbac.subject u on u.uuid = g.ascendantuuid
@ -141,28 +141,28 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/** /**
Instead of insert trigger function for rbac.grants_rv. Instead of insert trigger function for rbac.grant_rv.
*/ */
create or replace function rbac.insert_grant_tf() create or replace function rbac.insert_grant_tf()
returns trigger returns trigger
language plpgsql as $$ language plpgsql as $$
declare declare
newGrant rbac.grants_rv; newGrant rbac.grant_rv;
begin begin
call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed); call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed);
select grv.* select grv.*
from rbac.grants_rv grv from rbac.grant_rv grv
where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid
into newGrant; into newGrant;
return newGrant; return newGrant;
end; $$; end; $$;
/* /*
Creates an instead of insert trigger for the rbac.grants_rv view. Creates an instead of insert trigger for the rbac.grant_rv view.
*/ */
create trigger insert_grant_tg create trigger insert_grant_tg
instead of insert instead of insert
on rbac.grants_rv on rbac.grant_rv
for each row for each row
execute function rbac.insert_grant_tf(); execute function rbac.insert_grant_tf();
--/ --/
@ -173,7 +173,7 @@ execute function rbac.insert_grant_tf();
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/** /**
Instead of delete trigger function for rbac.grants_rv. Instead of delete trigger function for rbac.grant_rv.
Checks if the current subject or assumed role have the permission to revoke the grant. Checks if the current subject or assumed role have the permission to revoke the grant.
*/ */
@ -186,11 +186,11 @@ begin
end; $$; end; $$;
/* /*
Creates an instead of delete trigger for the rbac.grants_rv view. Creates an instead of delete trigger for the rbac.grant_rv view.
*/ */
create trigger delete_grant_tg create trigger delete_grant_tg
instead of delete instead of delete
on rbac.grants_rv on rbac.grant_rv
for each row for each row
execute function rbac.delete_grant_tf(); execute function rbac.delete_grant_tf();
--/ --/
@ -210,7 +210,7 @@ select distinct *
from ( from (
select usersInRolesOfcurrentSubject.* select usersInRolesOfcurrentSubject.*
from rbac.subject as usersInRolesOfcurrentSubject from rbac.subject as usersInRolesOfcurrentSubject
join rbac.grants as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid join rbac.grant as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid
join rbac.role_ev as r on r.uuid = g.descendantuuid join rbac.role_ev as r on r.uuid = g.descendantuuid
union union
select users.* select users.*
@ -235,7 +235,7 @@ create or replace view rbac.subject_rv as
from ( from (
select usersInRolesOfcurrentSubject.* select usersInRolesOfcurrentSubject.*
from rbac.subject as usersInRolesOfcurrentSubject from rbac.subject as usersInRolesOfcurrentSubject
join rbac.grants as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid join rbac.grant as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid
join rbac.role_rv as r on r.uuid = g.descendantuuid join rbac.role_rv as r on r.uuid = g.descendantuuid
union union
select users.* select users.*
@ -329,7 +329,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid,
(r.objecttable || ':' || r.objectidname || ':' || r.roletype) as roleName, p.op, (r.objecttable || ':' || r.objectidname || ':' || r.roletype) as roleName, p.op,
o.objecttable, r.objectidname, o.uuid as objectuuid o.objecttable, r.objectidname, o.uuid as objectuuid
from rbac.role_rv r from rbac.role_rv r
join rbac.grants g on g.ascendantuuid = r.uuid join rbac.grant g on g.ascendantuuid = r.uuid
join rbac.permission p on p.uuid = g.descendantuuid join rbac.permission p on p.uuid = g.descendantuuid
join rbac.object o on o.uuid = p.objectuuid; join rbac.object o on o.uuid = p.objectuuid;
grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
@ -369,7 +369,7 @@ begin
rbac.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName, rbac.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
po.uuid as permissionObjectUuid po.uuid as permissionObjectUuid
from rbac.queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p from rbac.queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p
join rbac.grants as g on g.descendantUuid = p.uuid join rbac.grant as g on g.descendantUuid = p.uuid
join rbac.object as po on po.uuid = p.objectUuid join rbac.object as po on po.uuid = p.objectUuid
join rbac.role_rv as r on r.uuid = g.ascendantUuid join rbac.role_rv as r on r.uuid = g.ascendantUuid
join rbac.object as ro on ro.uuid = r.objectUuid join rbac.object as ro on ro.uuid = r.objectUuid

View File

@ -193,19 +193,19 @@ begin
with accessible_uuids as ( with accessible_uuids as (
with recursive with recursive
recursive_grants as recursive_grants as
(select distinct rbac.grants.descendantuuid, (select distinct rbac.grant.descendantuuid,
rbac.grants.ascendantuuid, rbac.grant.ascendantuuid,
1 as level, 1 as level,
true true
from rbac.grants from rbac.grant
where rbac.grants.assumed where rbac.grant.assumed
and (rbac.grants.ascendantuuid = any (rbac.currentSubjectOrAssumedRolesUuids())) and (rbac.grant.ascendantuuid = any (rbac.currentSubjectOrAssumedRolesUuids()))
union all union all
select distinct g.descendantuuid, select distinct g.descendantuuid,
g.ascendantuuid, g.ascendantuuid,
grants.level + 1 as level, grants.level + 1 as level,
base.assertTrue(grants.level < 22, 'too many grant-levels: ' || grants.level) base.assertTrue(grants.level < 22, 'too many grant-levels: ' || grants.level)
from rbac.grants g from rbac.grant g
join recursive_grants grants on grants.descendantuuid = g.ascendantuuid join recursive_grants grants on grants.descendantuuid = g.ascendantuuid
where g.assumed), where g.assumed),
grant_count AS ( grant_count AS (

View File

@ -20,7 +20,7 @@ select no, to_char("count", '9 999 999 999') as "count", "table"
from rbac.reference from rbac.reference
union union
select 5 as no, count(*) as "count", 'grants' as "table" select 5 as no, count(*) as "count", 'grants' as "table"
from rbac.grants from rbac.grant
union union
select 6 as no, count(*) as "count", 'objects' as "table" select 6 as no, count(*) as "count", 'objects' as "table"
from rbac.object) as totals from rbac.object) as totals

View File

@ -212,18 +212,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM rbactest.customer LOOP FOR row IN SELECT * FROM rbactest.customer LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL rbactest.customer_build_rbac_system(row); CALL rbactest.customer_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -277,18 +277,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM rbactest.package LOOP FOR row IN SELECT * FROM rbactest.package LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL rbactest.package_build_rbac_system(row); CALL rbactest.package_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -276,18 +276,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM rbactest.domain LOOP FOR row IN SELECT * FROM rbactest.domain LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL rbactest.domain_build_rbac_system(row); CALL rbactest.domain_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -136,18 +136,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_office.contact LOOP FOR row IN SELECT * FROM hs_office.contact LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_office.contact_build_rbac_system(row); CALL hs_office.contact_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -138,18 +138,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_office.person LOOP FOR row IN SELECT * FROM hs_office.person LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_office.person_build_rbac_system(row); CALL hs_office.person_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -125,7 +125,7 @@ create or replace procedure hs_office.relation_update_rbac_system(
begin begin
if NEW.contactUuid is distinct from OLD.contactUuid then if NEW.contactUuid is distinct from OLD.contactUuid then
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid; delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid;
call hs_office.relation_build_rbac_system(NEW); call hs_office.relation_build_rbac_system(NEW);
end if; end if;
end; $$; end; $$;
@ -286,18 +286,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_office.relation LOOP FOR row IN SELECT * FROM hs_office.relation LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_office.relation_build_rbac_system(row); CALL hs_office.relation_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -287,18 +287,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_office.partner LOOP FOR row IN SELECT * FROM hs_office.partner LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_office.partner_build_rbac_system(row); CALL hs_office.partner_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -199,18 +199,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_office.partner_details LOOP FOR row IN SELECT * FROM hs_office.partner_details LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_office.partner_details_build_rbac_system(row); CALL hs_office.partner_details_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -135,18 +135,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_office.bankaccount LOOP FOR row IN SELECT * FROM hs_office.bankaccount LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_office.bankaccount_build_rbac_system(row); CALL hs_office.bankaccount_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -101,7 +101,7 @@ begin
if NEW.debitorRelUuid is distinct from OLD.debitorRelUuid if NEW.debitorRelUuid is distinct from OLD.debitorRelUuid
or NEW.refundBankAccountUuid is distinct from OLD.refundBankAccountUuid then or NEW.refundBankAccountUuid is distinct from OLD.refundBankAccountUuid then
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid; delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid;
call hs_office.debitor_build_rbac_system(NEW); call hs_office.debitor_build_rbac_system(NEW);
end if; end if;
end; $$; end; $$;
@ -276,18 +276,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_office.debitor LOOP FOR row IN SELECT * FROM hs_office.debitor LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_office.debitor_build_rbac_system(row); CALL hs_office.debitor_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -245,18 +245,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_office.sepamandate LOOP FOR row IN SELECT * FROM hs_office.sepamandate LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_office.sepamandate_build_rbac_system(row); CALL hs_office.sepamandate_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -227,18 +227,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_office.membership LOOP FOR row IN SELECT * FROM hs_office.membership LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_office.membership_build_rbac_system(row); CALL hs_office.membership_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -198,18 +198,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_office.coopsharetx LOOP FOR row IN SELECT * FROM hs_office.coopsharetx LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_office.coopsharetx_build_rbac_system(row); CALL hs_office.coopsharetx_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -198,18 +198,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_office.coopassettx LOOP FOR row IN SELECT * FROM hs_office.coopassettx LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_office.coopassettx_build_rbac_system(row); CALL hs_office.coopassettx_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -238,18 +238,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_booking.project LOOP FOR row IN SELECT * FROM hs_booking.project LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_booking.project_build_rbac_system(row); CALL hs_booking.project_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -309,18 +309,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_booking.item LOOP FOR row IN SELECT * FROM hs_booking.item LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_booking.item_build_rbac_system(row); CALL hs_booking.item_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -129,7 +129,7 @@ begin
if NEW.assignedToAssetUuid is distinct from OLD.assignedToAssetUuid if NEW.assignedToAssetUuid is distinct from OLD.assignedToAssetUuid
or NEW.alarmContactUuid is distinct from OLD.alarmContactUuid then or NEW.alarmContactUuid is distinct from OLD.alarmContactUuid then
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid; delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid;
call hs_hosting.asset_build_rbac_system(NEW); call hs_hosting.asset_build_rbac_system(NEW);
end if; end if;
end; $$; end; $$;
@ -215,18 +215,18 @@ DECLARE
grantsAfter numeric; grantsAfter numeric;
grantsBefore numeric; grantsBefore numeric;
BEGIN BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants; SELECT count(*) INTO grantsBefore FROM rbac.grant;
FOR row IN SELECT * FROM hs_hosting.asset LOOP FOR row IN SELECT * FROM hs_hosting.asset LOOP
-- first delete all generated grants for this row from the previously defined RBAC system -- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g DELETE FROM rbac.grant g
WHERE g.grantedbytriggerof = row.uuid; WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules -- then build the grants according to the currently defined RBAC rules
CALL hs_hosting.asset_build_rbac_system(row); CALL hs_hosting.asset_build_rbac_system(row);
END LOOP; END LOOP;
select count(*) into grantsAfter from rbac.grants; select count(*) into grantsAfter from rbac.grant;
-- print how the total count of grants has changed -- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;

View File

@ -295,14 +295,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void rebuildingTheRbacSystemWitSameRbacSpecDoesNotChangeGrantNorRoleCount() { public void rebuildingTheRbacSystemWitSameRbacSpecDoesNotChangeGrantNorRoleCount() {
final var grantCountBefore = sql("SELECT COUNT(*) FROM rbac.grants"); final var grantCountBefore = sql("SELECT COUNT(*) FROM rbac.grant");
final var roleCountBefore = sql("SELECT COUNT(*) FROM rbac.role"); final var roleCountBefore = sql("SELECT COUNT(*) FROM rbac.role");
jpaAttempt.transacted(() -> jpaAttempt.transacted(() ->
em.createNativeQuery("CALL rbactest.package_rebuild_rbac_system()") em.createNativeQuery("CALL rbactest.package_rebuild_rbac_system()")
); );
final var grantCountAfter = sql("SELECT COUNT(*) FROM rbac.grants"); final var grantCountAfter = sql("SELECT COUNT(*) FROM rbac.grant");
assertThat(grantCountBefore).as("grant count must not change").isEqualTo(grantCountAfter); assertThat(grantCountBefore).as("grant count must not change").isEqualTo(grantCountAfter);
final var roleCountAfter = sql("SELECT COUNT(*) FROM rbac.role"); final var roleCountAfter = sql("SELECT COUNT(*) FROM rbac.role");