diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/generator/RbacRbacSystemRebuildGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/generator/RbacRbacSystemRebuildGenerator.java new file mode 100644 index 00000000..640a8b85 --- /dev/null +++ b/src/main/java/net/hostsharing/hsadminng/rbac/generator/RbacRbacSystemRebuildGenerator.java @@ -0,0 +1,65 @@ +package net.hostsharing.hsadminng.rbac.generator; + +import net.hostsharing.hsadminng.rbac.generator.RbacView.RbacGrantDefinition; + +import java.util.HashSet; +import java.util.Set; +import static net.hostsharing.hsadminng.rbac.generator.StringWriter.with; + +class RbacRbacSystemRebuildGenerator { + + private final RbacView rbacDef; + private final Set rbacGrants = new HashSet<>(); + private final String liquibaseTagPrefix; + private final String rawTableName; + + RbacRbacSystemRebuildGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) { + this.rbacDef = rbacDef; + this.liquibaseTagPrefix = liquibaseTagPrefix; + this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema(); + } + + void generateTo(final StringWriter plPgSql) { + plPgSql.writeLn(""" + -- ============================================================================ + --changeset RbacRbacSystemRebuildGenerator:${liquibaseTagPrefix}-rbac-rebuild endDelimiter:--// + -- ---------------------------------------------------------------------------- + + -- + -- begin transaction; + -- call base.defineContext('re-creating RBAC for table ${rawTableName}', null, <>); + -- call ${rawTableName}_rebuild_rbac_system(); + -- commit; + + create or replace procedure ${rawTableName}_rebuild_rbac_system() + language plpgsql as $$ + DECLARE + DECLARE + row ${rawTableName}; + grantsAfter numeric; + grantsBefore numeric; + BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM ${rawTableName} LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL ${rawTableName}_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; + END; + $$; + --// + + """, + with("liquibaseTagPrefix", liquibaseTagPrefix), + with("rawTableName", rawTableName)); + } +} diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/generator/RbacViewPostgresGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/generator/RbacViewPostgresGenerator.java index a8a4ba3b..56f240ab 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/generator/RbacViewPostgresGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/generator/RbacViewPostgresGenerator.java @@ -31,6 +31,7 @@ public class RbacViewPostgresGenerator { new InsertTriggerGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql); new RbacIdentityViewGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql); new RbacRestrictedViewGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql); + new RbacRbacSystemRebuildGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql); } @Override diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/generator/RolesGrantsAndPermissionsGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/generator/RolesGrantsAndPermissionsGenerator.java index 6d880144..7d588536 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/generator/RolesGrantsAndPermissionsGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/generator/RolesGrantsAndPermissionsGenerator.java @@ -258,10 +258,11 @@ class RolesGrantsAndPermissionsGenerator { with("ref", old.name())); if (ea.nullable() == RbacView.Nullable.NOT_NULL) { plPgSql.writeLn( - "assert ${entityRefVar}.uuid is not null, format('${entityRefVar} must not be null for ${REF}.${dependsOnColumn} = %s', ${REF}.${dependsOnColumn});", + "assert ${entityRefVar}.uuid is not null, format('${entityRefVar} must not be null for ${REF}.${dependsOnColumn} = %s of ${rawTable}', ${REF}.${dependsOnColumn});", with("entityRefVar", entityRefVar(old, ea)), with("dependsOnColumn", ea.dependsOnColumName()), - with("ref", old.name())); + with("ref", old.name()), + with("rawTable", qualifiedRawTableName)); plPgSql.writeLn(); } } diff --git a/src/main/resources/db/changelog/2-rbactest/201-rbactest-customer/2013-rbactest-customer-rbac.sql b/src/main/resources/db/changelog/2-rbactest/201-rbactest-customer/2013-rbactest-customer-rbac.sql index 6451fd34..dcd50ef9 100644 --- a/src/main/resources/db/changelog/2-rbactest/201-rbactest-customer/2013-rbactest-customer-rbac.sql +++ b/src/main/resources/db/changelog/2-rbactest/201-rbactest-customer/2013-rbactest-customer-rbac.sql @@ -178,3 +178,41 @@ call rbac.generateRbacRestrictedView('rbactest.customer', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:rbactest-customer-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table rbactest.customer', null, <>); +-- call rbactest.customer_rebuild_rbac_system(); +-- commit; + +create or replace procedure rbactest.customer_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row rbactest.customer; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM rbactest.customer LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL rbactest.customer_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/2-rbactest/202-rbactest-package/2023-rbactest-package-rbac.sql b/src/main/resources/db/changelog/2-rbactest/202-rbactest-package/2023-rbactest-package-rbac.sql index ac5604eb..e7f0fdf8 100644 --- a/src/main/resources/db/changelog/2-rbactest/202-rbactest-package/2023-rbactest-package-rbac.sql +++ b/src/main/resources/db/changelog/2-rbactest/202-rbactest-package/2023-rbactest-package-rbac.sql @@ -36,7 +36,7 @@ begin call rbac.enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM rbactest.customer WHERE uuid = NEW.customerUuid INTO newCustomer; - assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s of package', NEW.customerUuid); + assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s of rbactest.package', NEW.customerUuid); perform rbac.defineRoleWithGrants( @@ -102,10 +102,10 @@ begin call rbac.enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM rbactest.customer WHERE uuid = OLD.customerUuid INTO oldCustomer; - assert oldCustomer.uuid is not null, format('oldCustomer must not be null for OLD.customerUuid = %s of package', OLD.customerUuid); + assert oldCustomer.uuid is not null, format('oldCustomer must not be null for OLD.customerUuid = %s of rbactest.package', OLD.customerUuid); SELECT * FROM rbactest.customer WHERE uuid = NEW.customerUuid INTO newCustomer; - assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s of package', NEW.customerUuid); + assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s of rbactest.package', NEW.customerUuid); if NEW.customerUuid <> OLD.customerUuid then @@ -243,3 +243,41 @@ call rbac.generateRbacRestrictedView('rbactest.package', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:rbactest-package-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table rbactest.package', null, <>); +-- call rbactest.package_rebuild_rbac_system(); +-- commit; + +create or replace procedure rbactest.package_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row rbactest.package; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM rbactest.package LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL rbactest.package_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/2-rbactest/203-rbactest-domain/2033-rbactest-domain-rbac.sql b/src/main/resources/db/changelog/2-rbactest/203-rbactest-domain/2033-rbactest-domain-rbac.sql index 2fc0d2a5..2c47fba5 100644 --- a/src/main/resources/db/changelog/2-rbactest/203-rbactest-domain/2033-rbactest-domain-rbac.sql +++ b/src/main/resources/db/changelog/2-rbactest/203-rbactest-domain/2033-rbactest-domain-rbac.sql @@ -36,7 +36,7 @@ begin call rbac.enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM rbactest.package WHERE uuid = NEW.packageUuid INTO newPackage; - assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s of domain', NEW.packageUuid); + assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s of rbactest.domain', NEW.packageUuid); perform rbac.defineRoleWithGrants( @@ -98,10 +98,10 @@ begin call rbac.enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM rbactest.package WHERE uuid = OLD.packageUuid INTO oldPackage; - assert oldPackage.uuid is not null, format('oldPackage must not be null for OLD.packageUuid = %s of domain', OLD.packageUuid); + assert oldPackage.uuid is not null, format('oldPackage must not be null for OLD.packageUuid = %s of rbactest.domain', OLD.packageUuid); SELECT * FROM rbactest.package WHERE uuid = NEW.packageUuid INTO newPackage; - assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s of domain', NEW.packageUuid); + assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s of rbactest.domain', NEW.packageUuid); if NEW.packageUuid <> OLD.packageUuid then @@ -242,3 +242,41 @@ call rbac.generateRbacRestrictedView('rbactest.domain', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:rbactest-domain-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table rbactest.domain', null, <>); +-- call rbactest.domain_rebuild_rbac_system(); +-- commit; + +create or replace procedure rbactest.domain_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row rbactest.domain; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM rbactest.domain LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL rbactest.domain_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql index 08bdcfc3..ec916829 100644 --- a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql @@ -102,3 +102,41 @@ call rbac.generateRbacRestrictedView('hs_office.contact', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-office-contact-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_office.contact', null, <>); +-- call hs_office.contact_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_office.contact_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_office.contact; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_office.contact LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_office.contact_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql index 2f8df513..f69b94cd 100644 --- a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql @@ -104,3 +104,41 @@ call rbac.generateRbacRestrictedView('hs_office.person', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-office-person-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_office.person', null, <>); +-- call hs_office.person_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_office.person_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_office.person; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_office.person LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_office.person_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql index abef1093..e581b3bd 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql @@ -38,13 +38,13 @@ begin call rbac.enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM hs_office.person WHERE uuid = NEW.holderUuid INTO newHolderPerson; - assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s of relation', NEW.holderUuid); + assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s of hs_office.relation', NEW.holderUuid); SELECT * FROM hs_office.person WHERE uuid = NEW.anchorUuid INTO newAnchorPerson; - assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s of relation', NEW.anchorUuid); + assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s of hs_office.relation', NEW.anchorUuid); SELECT * FROM hs_office.contact WHERE uuid = NEW.contactUuid INTO newContact; - assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s of relation', NEW.contactUuid); + assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s of hs_office.relation', NEW.contactUuid); perform rbac.defineRoleWithGrants( @@ -254,12 +254,12 @@ call rbac.generateRbacRestrictedView('hs_office.relation', -- ============================================================================ ---changeset RbacRestrictedViewGenerator:hs-office-relation-rbac-rebuild endDelimiter:--// +--changeset RbacRbacSystemRebuildGenerator:hs-office-relation-rbac-rebuild endDelimiter:--// -- ---------------------------------------------------------------------------- -- -- begin transaction; --- call base.defineContext('re-creating RBAC for table relation', null, <>); +-- call base.defineContext('re-creating RBAC for table hs_office.relation', null, <>); -- call hs_office.relation_rebuild_rbac_system(); -- commit; @@ -289,3 +289,4 @@ BEGIN END; $$; --// + diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql index bfe295fe..88f6c928 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql @@ -37,10 +37,10 @@ begin call rbac.enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM hs_office.relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel; - assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s of partner', NEW.partnerRelUuid); + assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s of hs_office.partner', NEW.partnerRelUuid); SELECT * FROM hs_office.partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails; - assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s of partner', NEW.detailsUuid); + assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s of hs_office.partner', NEW.detailsUuid); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hs_office.relation_OWNER(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.relation_TENANT(newPartnerRel)); @@ -96,16 +96,16 @@ begin call rbac.enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM hs_office.relation WHERE uuid = OLD.partnerRelUuid INTO oldPartnerRel; - assert oldPartnerRel.uuid is not null, format('oldPartnerRel must not be null for OLD.partnerRelUuid = %s of partner', OLD.partnerRelUuid); + assert oldPartnerRel.uuid is not null, format('oldPartnerRel must not be null for OLD.partnerRelUuid = %s of hs_office.partner', OLD.partnerRelUuid); SELECT * FROM hs_office.relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel; - assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s of partner', NEW.partnerRelUuid); + assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s of hs_office.partner', NEW.partnerRelUuid); SELECT * FROM hs_office.partner_details WHERE uuid = OLD.detailsUuid INTO oldPartnerDetails; - assert oldPartnerDetails.uuid is not null, format('oldPartnerDetails must not be null for OLD.detailsUuid = %s of partner', OLD.detailsUuid); + assert oldPartnerDetails.uuid is not null, format('oldPartnerDetails must not be null for OLD.detailsUuid = %s of hs_office.partner', OLD.detailsUuid); SELECT * FROM hs_office.partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails; - assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s of partner', NEW.detailsUuid); + assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s of hs_office.partner', NEW.detailsUuid); if NEW.partnerRelUuid <> OLD.partnerRelUuid then @@ -253,3 +253,41 @@ call rbac.generateRbacRestrictedView('hs_office.partner', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-office-partner-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_office.partner', null, <>); +-- call hs_office.partner_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_office.partner_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_office.partner; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_office.partner LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_office.partner_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql index eb1f7fd4..3b812f17 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql @@ -165,3 +165,41 @@ call rbac.generateRbacRestrictedView('hs_office.partner_details', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-office-partner-details-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_office.partner_details', null, <>); +-- call hs_office.partner_details_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_office.partner_details_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_office.partner_details; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_office.partner_details LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_office.partner_details_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql index e283c13f..7c6c2656 100644 --- a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql @@ -101,3 +101,41 @@ call rbac.generateRbacRestrictedView('hs_office.bankaccount', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-office-bankaccount-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_office.bankaccount', null, <>); +-- call hs_office.bankaccount_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_office.bankaccount_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_office.bankaccount; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_office.bankaccount LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_office.bankaccount_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql index 6a65dd39..b6ef748c 100644 --- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql @@ -44,10 +44,10 @@ begin WHERE partnerRel.type = 'PARTNER' AND NEW.debitorRelUuid = debitorRel.uuid INTO newPartnerRel; - assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.debitorRelUuid = %s of debitor', NEW.debitorRelUuid); + assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.debitorRelUuid = %s of hs_office.debitor', NEW.debitorRelUuid); SELECT * FROM hs_office.relation WHERE uuid = NEW.debitorRelUuid INTO newDebitorRel; - assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorRelUuid = %s of debitor', NEW.debitorRelUuid); + assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorRelUuid = %s of hs_office.debitor', NEW.debitorRelUuid); SELECT * FROM hs_office.bankaccount WHERE uuid = NEW.refundBankAccountUuid INTO newRefundBankAccount; @@ -242,3 +242,41 @@ call rbac.generateRbacRestrictedView('hs_office.debitor', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-office-debitor-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_office.debitor', null, <>); +-- call hs_office.debitor_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_office.debitor_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_office.debitor; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_office.debitor LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_office.debitor_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql index f22a826b..daf2ce3d 100644 --- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql @@ -37,14 +37,14 @@ begin call rbac.enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM hs_office.bankaccount WHERE uuid = NEW.bankAccountUuid INTO newBankAccount; - assert newBankAccount.uuid is not null, format('newBankAccount must not be null for NEW.bankAccountUuid = %s of sepamandate', NEW.bankAccountUuid); + assert newBankAccount.uuid is not null, format('newBankAccount must not be null for NEW.bankAccountUuid = %s of hs_office.sepamandate', NEW.bankAccountUuid); SELECT debitorRel.* FROM hs_office.relation debitorRel JOIN hs_office.debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid WHERE debitor.uuid = NEW.debitorUuid INTO newDebitorRel; - assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s of sepamandate', NEW.debitorUuid); + assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s of hs_office.sepamandate', NEW.debitorUuid); perform rbac.defineRoleWithGrants( @@ -211,3 +211,41 @@ call rbac.generateRbacRestrictedView('hs_office.sepamandate', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-office-sepamandate-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_office.sepamandate', null, <>); +-- call hs_office.sepamandate_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_office.sepamandate_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_office.sepamandate; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_office.sepamandate LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_office.sepamandate_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql index 306dbced..1c5f8b9b 100644 --- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql @@ -40,7 +40,7 @@ begin JOIN hs_office.relation AS partnerRel ON partnerRel.uuid = partner.partnerRelUuid WHERE partner.uuid = NEW.partnerUuid INTO newPartnerRel; - assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s of membership', NEW.partnerUuid); + assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s of hs_office.membership', NEW.partnerUuid); perform rbac.defineRoleWithGrants( @@ -193,3 +193,41 @@ call rbac.generateRbacRestrictedView('hs_office.membership', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-office-membership-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_office.membership', null, <>); +-- call hs_office.membership_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_office.membership_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_office.membership; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_office.membership LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_office.membership_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql index e7cc8811..6784c19a 100644 --- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql @@ -36,7 +36,7 @@ begin call rbac.enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM hs_office.membership WHERE uuid = NEW.membershipUuid INTO newMembership; - assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s of coopshares', NEW.membershipUuid); + assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s of hs_office.coopsharetx', NEW.membershipUuid); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.membership_AGENT(newMembership)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hs_office.membership_ADMIN(newMembership)); @@ -164,3 +164,41 @@ call rbac.generateRbacRestrictedView('hs_office.coopsharetx', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-office-coopsharetx-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_office.coopsharetx', null, <>); +-- call hs_office.coopsharetx_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_office.coopsharetx_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_office.coopsharetx; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_office.coopsharetx LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_office.coopsharetx_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql index f5647823..62ec9f01 100644 --- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql @@ -36,7 +36,7 @@ begin call rbac.enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM hs_office.membership WHERE uuid = NEW.membershipUuid INTO newMembership; - assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s of coopasset', NEW.membershipUuid); + assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s of hs_office.coopassettx', NEW.membershipUuid); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.membership_AGENT(newMembership)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hs_office.membership_ADMIN(newMembership)); @@ -164,3 +164,41 @@ call rbac.generateRbacRestrictedView('hs_office.coopassettx', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-office-coopassettx-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_office.coopassettx', null, <>); +-- call hs_office.coopassettx_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_office.coopassettx_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_office.coopassettx; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_office.coopassettx LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_office.coopassettx_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql index ade16515..0b679353 100644 --- a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql @@ -37,14 +37,14 @@ begin call rbac.enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM hs_office.debitor WHERE uuid = NEW.debitorUuid INTO newDebitor; - assert newDebitor.uuid is not null, format('newDebitor must not be null for NEW.debitorUuid = %s of project', NEW.debitorUuid); + assert newDebitor.uuid is not null, format('newDebitor must not be null for NEW.debitorUuid = %s of hs_booking.project', NEW.debitorUuid); SELECT debitorRel.* FROM hs_office.relation debitorRel JOIN hs_office.debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid WHERE debitor.uuid = NEW.debitorUuid INTO newDebitorRel; - assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s or project', NEW.debitorUuid); + assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s of hs_booking.project', NEW.debitorUuid); perform rbac.defineRoleWithGrants( @@ -204,3 +204,41 @@ call rbac.generateRbacRestrictedView('hs_booking.project', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-booking-project-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_booking.project', null, <>); +-- call hs_booking.project_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_booking.project_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_booking.project; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_booking.project LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_booking.project_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql index 67173247..679ee95a 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql @@ -275,3 +275,41 @@ call rbac.generateRbacRestrictedView('hs_booking.item', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-booking-item-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_booking.item', null, <>); +-- call hs_booking.item_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_booking.item_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_booking.item; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_booking.item LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_booking.item_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// + diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql index 4e2137af..e80171f0 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql @@ -181,3 +181,41 @@ call rbac.generateRbacRestrictedView('hs_hosting.asset', $updates$); --// + +-- ============================================================================ +--changeset RbacRbacSystemRebuildGenerator:hs-hosting-asset-rbac-rebuild endDelimiter:--// +-- ---------------------------------------------------------------------------- + +-- +-- begin transaction; +-- call base.defineContext('re-creating RBAC for table hs_hosting.asset', null, <>); +-- call hs_hosting.asset_rebuild_rbac_system(); +-- commit; + +create or replace procedure hs_hosting.asset_rebuild_rbac_system() + language plpgsql as $$ +DECLARE + DECLARE + row hs_hosting.asset; + grantsAfter numeric; + grantsBefore numeric; +BEGIN + SELECT count(*) INTO grantsBefore FROM rbac.grants; + + FOR row IN SELECT * FROM hs_hosting.asset LOOP + -- first delete all generated grants for this row from the previously defined RBAC system + DELETE FROM rbac.grants g + WHERE g.grantedbytriggerof = row.uuid; + + -- then build the grants according to the currently defined RBAC rules + CALL hs_hosting.asset_build_rbac_system(row); + END LOOP; + + select count(*) into grantsAfter from rbac.grants; + + -- print how the total count of grants has changed + raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; +END; +$$; +--// +