From 6f6320565c04151ff8ef393b0c07aaa6e1c34431 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Wed, 27 Jul 2022 13:05:19 +0200
Subject: [PATCH] the _rv query with WHERE IN was faster after all, removing
 the JOIN variant

---
 sql/00-util.sql            | 14 ++++++++++++++
 sql/21-hs-customer.sql     | 15 +--------------
 sql/22-hs-packages.sql     | 16 +---------------
 sql/23-hs-unixuser.sql     | 16 ++--------------
 sql/24-hs-domain.sql       | 14 +-------------
 sql/25-hs-emailaddress.sql | 14 +-------------
 sql/28--hs-tests.sql       | 13 ++-----------
 7 files changed, 22 insertions(+), 80 deletions(-)

diff --git a/sql/00-util.sql b/sql/00-util.sql
index 06755f11..7f39452e 100644
--- a/sql/00-util.sql
+++ b/sql/00-util.sql
@@ -47,3 +47,17 @@ BEGIN
 END; $$;
 
 select * from randomInRange(0, 4);
+
+
+-- ========================================================
+-- Test helpers
+-- --------------------------------------------------------
+
+-- there are some random ractors in test data generation, thus a range has to be accepted
+CREATE OR REPLACE PROCEDURE expectBetween(actualCount integer, expectedFrom integer, expectedTo integer)
+    LANGUAGE plpgsql AS $$
+BEGIN
+    IF NOT actualCount BETWEEN expectedFrom AND expectedTo THEN
+        RAISE EXCEPTION 'count expected to be between % and %, but got %', expectedFrom, expectedTo, actualCount;
+    END IF;
+END; $$;
diff --git a/sql/21-hs-customer.sql b/sql/21-hs-customer.sql
index 0c77dea6..83612e9b 100644
--- a/sql/21-hs-customer.sql
+++ b/sql/21-hs-customer.sql
@@ -107,26 +107,13 @@ CREATE TRIGGER deleteRbacRulesForCustomer_Trigger
 
 
 -- create RBAC restricted view
-
--- automatically updatable, but slow with WHERE IN
 SET SESSION SESSION AUTHORIZATION DEFAULT;
 ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
 DROP VIEW IF EXISTS customer_rv;
 CREATE OR REPLACE VIEW customer_rv AS
     SELECT DISTINCT target.*
       FROM customer AS target
-     WHERE target.uuid IN (SELECT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'customer', currentSubjectIds()));
-GRANT ALL PRIVILEGES ON customer_rv TO restricted;
-
--- not automatically updatable, but fast with JOIN
-SET SESSION SESSION AUTHORIZATION DEFAULT;
-ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
-DROP VIEW IF EXISTS customer_rv;
-CREATE OR REPLACE VIEW customer_rv AS
-    SELECT DISTINCT target.*
-      FROM customer AS target
-      JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'customer', currentSubjectIds()) AS allowedObjId
-           ON target.uuid = allowedObjId;
+     WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'customer', currentSubjectIds()));
 GRANT ALL PRIVILEGES ON customer_rv TO restricted;
 
 
diff --git a/sql/22-hs-packages.sql b/sql/22-hs-packages.sql
index 483725b4..3f21ae45 100644
--- a/sql/22-hs-packages.sql
+++ b/sql/22-hs-packages.sql
@@ -99,29 +99,15 @@ CREATE TRIGGER deleteRbacRulesForPackage_Trigger
     FOR EACH ROW EXECUTE PROCEDURE deleteRbacRulesForPackage();
 
 -- create RBAC-restricted view
-
--- automatically updatable, but slow with WHERE IN
 SET SESSION SESSION AUTHORIZATION DEFAULT;
 ALTER TABLE package ENABLE ROW LEVEL SECURITY;
 DROP VIEW IF EXISTS package_rv;
 CREATE OR REPLACE VIEW package_rv AS
     SELECT DISTINCT target.*
       FROM package AS target
-     WHERE target.uuid IN (SELECT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'package', currentSubjectIds()));
+     WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'package', currentSubjectIds()));
 GRANT ALL PRIVILEGES ON package_rv TO restricted;
 
--- not automatically updatable, but fast with JOIN
-SET SESSION SESSION AUTHORIZATION DEFAULT;
-ALTER TABLE package ENABLE ROW LEVEL SECURITY;
-DROP VIEW IF EXISTS package_rv;
-CREATE OR REPLACE VIEW package_rv AS
-    SELECT DISTINCT target.*
-      FROM package AS target
-     JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'package', currentSubjectIds()) AS allowedObjId
-          ON target.uuid = allowedObjId;
-GRANT ALL PRIVILEGES ON package_rv TO restricted;
-
-
 
 -- generate Package test data
 
diff --git a/sql/23-hs-unixuser.sql b/sql/23-hs-unixuser.sql
index cfeccfb0..44392104 100644
--- a/sql/23-hs-unixuser.sql
+++ b/sql/23-hs-unixuser.sql
@@ -8,6 +8,7 @@ SET SESSION SESSION AUTHORIZATION DEFAULT ;
 CREATE TABLE IF NOT EXISTS UnixUser (
     uuid uuid UNIQUE REFERENCES RbacObject(uuid),
     name character varying(32),
+    comment character varying(96),
     packageUuid uuid REFERENCES package(uuid)
 );
 
@@ -102,26 +103,13 @@ CREATE TRIGGER createRbacRulesForUnixUser_Trigger
 
 
 -- create RBAC-restricted view
-
--- automatically updatable, but slow with WHERE IN
 SET SESSION SESSION AUTHORIZATION DEFAULT;
 ALTER TABLE unixuser ENABLE ROW LEVEL SECURITY;
 DROP VIEW IF EXISTS unixuser_rv;
 CREATE OR REPLACE VIEW unixuser_rv AS
     SELECT DISTINCT target.*
       FROM unixuser AS target
-    WHERE target.uuid IN (SELECT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'unixuser', currentSubjectIds()));
-GRANT ALL PRIVILEGES ON unixuser_rv TO restricted;
-
--- not automatically updatable, but fast with JOIN
-SET SESSION SESSION AUTHORIZATION DEFAULT;
-ALTER TABLE unixuser ENABLE ROW LEVEL SECURITY;
-DROP VIEW IF EXISTS unixuser_rv;
-CREATE OR REPLACE VIEW unixuser_rv AS
-    SELECT DISTINCT target.*
-     FROM unixuser AS target
-     JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'unixuser', currentSubjectIds()) AS allowedObjId
-          ON target.uuid = allowedObjId;
+    WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'unixuser', currentSubjectIds()));
 GRANT ALL PRIVILEGES ON unixuser_rv TO restricted;
 
 
diff --git a/sql/24-hs-domain.sql b/sql/24-hs-domain.sql
index 856d55f6..e9fbc142 100644
--- a/sql/24-hs-domain.sql
+++ b/sql/24-hs-domain.sql
@@ -86,27 +86,15 @@ CREATE TRIGGER createRbacRulesForDomain_Trigger
 
 
 -- create RBAC-restricted view
-
--- automatically updatable, but slow with WHERE IN
 SET SESSION SESSION AUTHORIZATION DEFAULT;
 ALTER TABLE Domain ENABLE ROW LEVEL SECURITY;
 DROP VIEW IF EXISTS domain_rv;
 CREATE OR REPLACE VIEW domain_rv AS
     SELECT DISTINCT target.*
       FROM Domain AS target
-      WHERE target.uuid IN (SELECT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'domain', currentSubjectIds()));
+      WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'domain', currentSubjectIds()));
 GRANT ALL PRIVILEGES ON domain_rv TO restricted;
 
--- not automatically updatable, but fast with JOIN
-SET SESSION SESSION AUTHORIZATION DEFAULT;
-ALTER TABLE Domain ENABLE ROW LEVEL SECURITY;
-DROP VIEW IF EXISTS domain_rv;
-CREATE OR REPLACE VIEW domain_rv AS
-    SELECT DISTINCT target.*
-      FROM Domain AS target
-      JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'domain', currentSubjectIds()) AS allowedObjId
-           ON target.uuid = allowedObjId;
-GRANT ALL PRIVILEGES ON domain_rv TO restricted;
 
 -- generate Domain test data
 
diff --git a/sql/25-hs-emailaddress.sql b/sql/25-hs-emailaddress.sql
index df9d575c..7ff46b5a 100644
--- a/sql/25-hs-emailaddress.sql
+++ b/sql/25-hs-emailaddress.sql
@@ -74,25 +74,13 @@ CREATE TRIGGER createRbacRulesForEMailAddress_Trigger
 
 
 -- create RBAC-restricted view
-
--- automatically updatable, but slow with WHERE IN
 SET SESSION SESSION AUTHORIZATION DEFAULT;
 ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY;
 DROP VIEW IF EXISTS EMailAddress_rv;
 CREATE OR REPLACE VIEW EMailAddress_rv AS
     SELECT DISTINCT target.*
     FROM EMailAddress AS target
-    WHERE target.uuid IN (SELECT DISTINCT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'emailaddress', currentSubjectIds()));
-GRANT ALL PRIVILEGES ON EMailAddress_rv TO restricted;
-
--- not automatically updatable, but fast with JOIN
-SET SESSION SESSION AUTHORIZATION DEFAULT;
-ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY;
-DROP VIEW IF EXISTS EMailAddress_rv;
-CREATE OR REPLACE VIEW EMailAddress_rv AS
-    SELECT target.*
-      FROM EMailAddress AS target
-     WHERE target.uuid IN (SELECT DISTINCT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'emailaddress', currentSubjectIds()));
+    WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'emailaddress', currentSubjectIds()));
 GRANT ALL PRIVILEGES ON EMailAddress_rv TO restricted;
 
 -- generate EMailAddress test data
diff --git a/sql/28--hs-tests.sql b/sql/28--hs-tests.sql
index 6b095349..e52a2ca3 100644
--- a/sql/28--hs-tests.sql
+++ b/sql/28--hs-tests.sql
@@ -1,15 +1,6 @@
 ABORT;
 SET SESSION SESSION AUTHORIZATION DEFAULT;
 
--- there are some random ractors in test data generation, thus a range has to be accepted
-CREATE OR REPLACE PROCEDURE expectBetween(actualCount integer, expectedFrom integer, expectedTo integer)
-    LANGUAGE plpgsql AS $$
-BEGIN
-    IF NOT actualCount BETWEEN expectedFrom AND expectedTo THEN
-        RAISE EXCEPTION 'count expected to be between % and %, but got %', expectedFrom, expectedTo, actualCount;
-    END IF;
-END; $$;
-
 DO LANGUAGE plpgsql $$
 DECLARE
     resultCount integer;
@@ -90,8 +81,8 @@ BEGIN
     SET SESSION SESSION AUTHORIZATION restricted;
     SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
     SET LOCAL hsadminng.assumedRoles = 'customer#aae.admin;customer#aaf.admin';
-    SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address"
-    -- SELECT count(*) INTO resultCount
+    -- SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address"
+    SELECT count(*) INTO resultCount
       FROM emailaddress_rv ema
       JOIN domain_rv dom ON dom.uuid = ema.domainuuid
       JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid