optimize RBAC SELECT-queries for global-admins without assumed role (#124)

Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: #124 Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
2024-11-25 10:56:16 +01:00 · 2024-11-25 10:56:16 +01:00 · 7883052864
commit 7883052864
parent d7caf3b0f8
3 changed files with 28 additions and 3 deletions
--- a/5
+++ b/5
@ -3,8 +3,9 @@ pipeline {
        dockerfile {
            filename 'etc/jenkinsAgent.Dockerfile'
            // additionalBuildArgs  ...
-            args '--network=bridge --user root -v $PWD:$PWD -v /var/run/docker.sock:/var/run/docker.sock --group-add 984'
-            reuseNode true
+            args '--network=bridge --user root -v $PWD:$PWD \
+                    -v /var/run/docker.sock:/var/run/docker.sock --group-add 984 \
+                    --memory=6g --cpus=3'
       }
    }

--- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
+++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
@ -223,7 +223,7 @@ begin
            )
            select target.*
                from %1$s as target
-                where target.uuid in (select * from accessible_uuids)
+                where rbac.hasGlobalAdminRole() or target.uuid in (select * from accessible_uuids)
                order by %2$s;

        grant all privileges on %1$s_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
--- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
+++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
@ -35,6 +35,30 @@ end; $$;
 --//


+-- ============================================================================
+--changeset michael.hoennig:rbac-global-HAS-GLOBAL-ADMIN-ROLE endDelimiter:--//
+-- ----------------------------------------------------------------------------
+/*
+    Returns true if the current user is a global admin and has no assumed role.
+ */
+create or replace function rbac.hasGlobalAdminRole()
+    returns boolean
+    stable -- leakproof
+    language plpgsql as $$
+declare
+    currentSubjectOrAssumedRolesUuids text;
+begin
+    begin
+        currentSubjectOrAssumedRolesUuids := current_setting('hsadminng.currentSubjectOrAssumedRolesUuids');
+    exception
+        when others then
+            currentSubjectOrAssumedRolesUuids := null;
+    end;
+    return  currentSubjectOrAssumedRolesUuids is null or length(currentSubjectOrAssumedRolesUuids) = 0;
+end; $$;
+--//
+
+
 -- ============================================================================
 --changeset michael.hoennig:rbac-global-HAS-GLOBAL-PERMISSION endDelimiter:--//
 -- ------------------------------------------------------------------