generate RBAC-system rebuild for each table with RBAC-support

This commit is contained in:
Michael Hoennig 2024-12-31 14:34:12 +01:00
parent 9a8285e43c
commit 7ae1a0eb37
20 changed files with 704 additions and 28 deletions

View File

@ -0,0 +1,65 @@
package net.hostsharing.hsadminng.rbac.generator;
import net.hostsharing.hsadminng.rbac.generator.RbacView.RbacGrantDefinition;
import java.util.HashSet;
import java.util.Set;
import static net.hostsharing.hsadminng.rbac.generator.StringWriter.with;
class RbacRbacSystemRebuildGenerator {
private final RbacView rbacDef;
private final Set<RbacGrantDefinition> rbacGrants = new HashSet<>();
private final String liquibaseTagPrefix;
private final String rawTableName;
RbacRbacSystemRebuildGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
this.rbacDef = rbacDef;
this.liquibaseTagPrefix = liquibaseTagPrefix;
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
}
void generateTo(final StringWriter plPgSql) {
plPgSql.writeLn("""
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:${liquibaseTagPrefix}-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table ${rawTableName}', null, <<insert executing global admin user here>>);
-- call ${rawTableName}_rebuild_rbac_system();
-- commit;
create or replace procedure ${rawTableName}_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row ${rawTableName};
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM ${rawTableName} LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL ${rawTableName}_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//
""",
with("liquibaseTagPrefix", liquibaseTagPrefix),
with("rawTableName", rawTableName));
}
}

View File

@ -31,6 +31,7 @@ public class RbacViewPostgresGenerator {
new InsertTriggerGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql); new InsertTriggerGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql);
new RbacIdentityViewGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql); new RbacIdentityViewGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql);
new RbacRestrictedViewGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql); new RbacRestrictedViewGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql);
new RbacRbacSystemRebuildGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql);
} }
@Override @Override

View File

@ -258,10 +258,11 @@ class RolesGrantsAndPermissionsGenerator {
with("ref", old.name())); with("ref", old.name()));
if (ea.nullable() == RbacView.Nullable.NOT_NULL) { if (ea.nullable() == RbacView.Nullable.NOT_NULL) {
plPgSql.writeLn( plPgSql.writeLn(
"assert ${entityRefVar}.uuid is not null, format('${entityRefVar} must not be null for ${REF}.${dependsOnColumn} = %s', ${REF}.${dependsOnColumn});", "assert ${entityRefVar}.uuid is not null, format('${entityRefVar} must not be null for ${REF}.${dependsOnColumn} = %s of ${rawTable}', ${REF}.${dependsOnColumn});",
with("entityRefVar", entityRefVar(old, ea)), with("entityRefVar", entityRefVar(old, ea)),
with("dependsOnColumn", ea.dependsOnColumName()), with("dependsOnColumn", ea.dependsOnColumName()),
with("ref", old.name())); with("ref", old.name()),
with("rawTable", qualifiedRawTableName));
plPgSql.writeLn(); plPgSql.writeLn();
} }
} }

View File

@ -178,3 +178,41 @@ call rbac.generateRbacRestrictedView('rbactest.customer',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:rbactest-customer-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table rbactest.customer', null, <<insert executing global admin user here>>);
-- call rbactest.customer_rebuild_rbac_system();
-- commit;
create or replace procedure rbactest.customer_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row rbactest.customer;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM rbactest.customer LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL rbactest.customer_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -36,7 +36,7 @@ begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM rbactest.customer WHERE uuid = NEW.customerUuid INTO newCustomer; SELECT * FROM rbactest.customer WHERE uuid = NEW.customerUuid INTO newCustomer;
assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s of package', NEW.customerUuid); assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s of rbactest.package', NEW.customerUuid);
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
@ -102,10 +102,10 @@ begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM rbactest.customer WHERE uuid = OLD.customerUuid INTO oldCustomer; SELECT * FROM rbactest.customer WHERE uuid = OLD.customerUuid INTO oldCustomer;
assert oldCustomer.uuid is not null, format('oldCustomer must not be null for OLD.customerUuid = %s of package', OLD.customerUuid); assert oldCustomer.uuid is not null, format('oldCustomer must not be null for OLD.customerUuid = %s of rbactest.package', OLD.customerUuid);
SELECT * FROM rbactest.customer WHERE uuid = NEW.customerUuid INTO newCustomer; SELECT * FROM rbactest.customer WHERE uuid = NEW.customerUuid INTO newCustomer;
assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s of package', NEW.customerUuid); assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s of rbactest.package', NEW.customerUuid);
if NEW.customerUuid <> OLD.customerUuid then if NEW.customerUuid <> OLD.customerUuid then
@ -243,3 +243,41 @@ call rbac.generateRbacRestrictedView('rbactest.package',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:rbactest-package-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table rbactest.package', null, <<insert executing global admin user here>>);
-- call rbactest.package_rebuild_rbac_system();
-- commit;
create or replace procedure rbactest.package_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row rbactest.package;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM rbactest.package LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL rbactest.package_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -36,7 +36,7 @@ begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM rbactest.package WHERE uuid = NEW.packageUuid INTO newPackage; SELECT * FROM rbactest.package WHERE uuid = NEW.packageUuid INTO newPackage;
assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s of domain', NEW.packageUuid); assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s of rbactest.domain', NEW.packageUuid);
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
@ -98,10 +98,10 @@ begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM rbactest.package WHERE uuid = OLD.packageUuid INTO oldPackage; SELECT * FROM rbactest.package WHERE uuid = OLD.packageUuid INTO oldPackage;
assert oldPackage.uuid is not null, format('oldPackage must not be null for OLD.packageUuid = %s of domain', OLD.packageUuid); assert oldPackage.uuid is not null, format('oldPackage must not be null for OLD.packageUuid = %s of rbactest.domain', OLD.packageUuid);
SELECT * FROM rbactest.package WHERE uuid = NEW.packageUuid INTO newPackage; SELECT * FROM rbactest.package WHERE uuid = NEW.packageUuid INTO newPackage;
assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s of domain', NEW.packageUuid); assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s of rbactest.domain', NEW.packageUuid);
if NEW.packageUuid <> OLD.packageUuid then if NEW.packageUuid <> OLD.packageUuid then
@ -242,3 +242,41 @@ call rbac.generateRbacRestrictedView('rbactest.domain',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:rbactest-domain-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table rbactest.domain', null, <<insert executing global admin user here>>);
-- call rbactest.domain_rebuild_rbac_system();
-- commit;
create or replace procedure rbactest.domain_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row rbactest.domain;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM rbactest.domain LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL rbactest.domain_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -102,3 +102,41 @@ call rbac.generateRbacRestrictedView('hs_office.contact',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-office-contact-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_office.contact', null, <<insert executing global admin user here>>);
-- call hs_office.contact_rebuild_rbac_system();
-- commit;
create or replace procedure hs_office.contact_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_office.contact;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_office.contact LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_office.contact_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -104,3 +104,41 @@ call rbac.generateRbacRestrictedView('hs_office.person',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-office-person-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_office.person', null, <<insert executing global admin user here>>);
-- call hs_office.person_rebuild_rbac_system();
-- commit;
create or replace procedure hs_office.person_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_office.person;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_office.person LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_office.person_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -38,13 +38,13 @@ begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office.person WHERE uuid = NEW.holderUuid INTO newHolderPerson; SELECT * FROM hs_office.person WHERE uuid = NEW.holderUuid INTO newHolderPerson;
assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s of relation', NEW.holderUuid); assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s of hs_office.relation', NEW.holderUuid);
SELECT * FROM hs_office.person WHERE uuid = NEW.anchorUuid INTO newAnchorPerson; SELECT * FROM hs_office.person WHERE uuid = NEW.anchorUuid INTO newAnchorPerson;
assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s of relation', NEW.anchorUuid); assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s of hs_office.relation', NEW.anchorUuid);
SELECT * FROM hs_office.contact WHERE uuid = NEW.contactUuid INTO newContact; SELECT * FROM hs_office.contact WHERE uuid = NEW.contactUuid INTO newContact;
assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s of relation', NEW.contactUuid); assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s of hs_office.relation', NEW.contactUuid);
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
@ -254,12 +254,12 @@ call rbac.generateRbacRestrictedView('hs_office.relation',
-- ============================================================================ -- ============================================================================
--changeset RbacRestrictedViewGenerator:hs-office-relation-rbac-rebuild endDelimiter:--// --changeset RbacRbacSystemRebuildGenerator:hs-office-relation-rbac-rebuild endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
-- --
-- begin transaction; -- begin transaction;
-- call base.defineContext('re-creating RBAC for table relation', null, <<insert executing global admin user here>>); -- call base.defineContext('re-creating RBAC for table hs_office.relation', null, <<insert executing global admin user here>>);
-- call hs_office.relation_rebuild_rbac_system(); -- call hs_office.relation_rebuild_rbac_system();
-- commit; -- commit;
@ -289,3 +289,4 @@ BEGIN
END; END;
$$; $$;
--// --//

View File

@ -37,10 +37,10 @@ begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office.relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel; SELECT * FROM hs_office.relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel;
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s of partner', NEW.partnerRelUuid); assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s of hs_office.partner', NEW.partnerRelUuid);
SELECT * FROM hs_office.partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails; SELECT * FROM hs_office.partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s of partner', NEW.detailsUuid); assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s of hs_office.partner', NEW.detailsUuid);
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hs_office.relation_OWNER(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hs_office.relation_OWNER(newPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.relation_TENANT(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.relation_TENANT(newPartnerRel));
@ -96,16 +96,16 @@ begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office.relation WHERE uuid = OLD.partnerRelUuid INTO oldPartnerRel; SELECT * FROM hs_office.relation WHERE uuid = OLD.partnerRelUuid INTO oldPartnerRel;
assert oldPartnerRel.uuid is not null, format('oldPartnerRel must not be null for OLD.partnerRelUuid = %s of partner', OLD.partnerRelUuid); assert oldPartnerRel.uuid is not null, format('oldPartnerRel must not be null for OLD.partnerRelUuid = %s of hs_office.partner', OLD.partnerRelUuid);
SELECT * FROM hs_office.relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel; SELECT * FROM hs_office.relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel;
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s of partner', NEW.partnerRelUuid); assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s of hs_office.partner', NEW.partnerRelUuid);
SELECT * FROM hs_office.partner_details WHERE uuid = OLD.detailsUuid INTO oldPartnerDetails; SELECT * FROM hs_office.partner_details WHERE uuid = OLD.detailsUuid INTO oldPartnerDetails;
assert oldPartnerDetails.uuid is not null, format('oldPartnerDetails must not be null for OLD.detailsUuid = %s of partner', OLD.detailsUuid); assert oldPartnerDetails.uuid is not null, format('oldPartnerDetails must not be null for OLD.detailsUuid = %s of hs_office.partner', OLD.detailsUuid);
SELECT * FROM hs_office.partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails; SELECT * FROM hs_office.partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s of partner', NEW.detailsUuid); assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s of hs_office.partner', NEW.detailsUuid);
if NEW.partnerRelUuid <> OLD.partnerRelUuid then if NEW.partnerRelUuid <> OLD.partnerRelUuid then
@ -253,3 +253,41 @@ call rbac.generateRbacRestrictedView('hs_office.partner',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-office-partner-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_office.partner', null, <<insert executing global admin user here>>);
-- call hs_office.partner_rebuild_rbac_system();
-- commit;
create or replace procedure hs_office.partner_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_office.partner;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_office.partner LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_office.partner_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -165,3 +165,41 @@ call rbac.generateRbacRestrictedView('hs_office.partner_details',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-office-partner-details-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_office.partner_details', null, <<insert executing global admin user here>>);
-- call hs_office.partner_details_rebuild_rbac_system();
-- commit;
create or replace procedure hs_office.partner_details_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_office.partner_details;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_office.partner_details LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_office.partner_details_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -101,3 +101,41 @@ call rbac.generateRbacRestrictedView('hs_office.bankaccount',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-office-bankaccount-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_office.bankaccount', null, <<insert executing global admin user here>>);
-- call hs_office.bankaccount_rebuild_rbac_system();
-- commit;
create or replace procedure hs_office.bankaccount_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_office.bankaccount;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_office.bankaccount LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_office.bankaccount_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -44,10 +44,10 @@ begin
WHERE partnerRel.type = 'PARTNER' WHERE partnerRel.type = 'PARTNER'
AND NEW.debitorRelUuid = debitorRel.uuid AND NEW.debitorRelUuid = debitorRel.uuid
INTO newPartnerRel; INTO newPartnerRel;
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.debitorRelUuid = %s of debitor', NEW.debitorRelUuid); assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.debitorRelUuid = %s of hs_office.debitor', NEW.debitorRelUuid);
SELECT * FROM hs_office.relation WHERE uuid = NEW.debitorRelUuid INTO newDebitorRel; SELECT * FROM hs_office.relation WHERE uuid = NEW.debitorRelUuid INTO newDebitorRel;
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorRelUuid = %s of debitor', NEW.debitorRelUuid); assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorRelUuid = %s of hs_office.debitor', NEW.debitorRelUuid);
SELECT * FROM hs_office.bankaccount WHERE uuid = NEW.refundBankAccountUuid INTO newRefundBankAccount; SELECT * FROM hs_office.bankaccount WHERE uuid = NEW.refundBankAccountUuid INTO newRefundBankAccount;
@ -242,3 +242,41 @@ call rbac.generateRbacRestrictedView('hs_office.debitor',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-office-debitor-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_office.debitor', null, <<insert executing global admin user here>>);
-- call hs_office.debitor_rebuild_rbac_system();
-- commit;
create or replace procedure hs_office.debitor_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_office.debitor;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_office.debitor LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_office.debitor_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -37,14 +37,14 @@ begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office.bankaccount WHERE uuid = NEW.bankAccountUuid INTO newBankAccount; SELECT * FROM hs_office.bankaccount WHERE uuid = NEW.bankAccountUuid INTO newBankAccount;
assert newBankAccount.uuid is not null, format('newBankAccount must not be null for NEW.bankAccountUuid = %s of sepamandate', NEW.bankAccountUuid); assert newBankAccount.uuid is not null, format('newBankAccount must not be null for NEW.bankAccountUuid = %s of hs_office.sepamandate', NEW.bankAccountUuid);
SELECT debitorRel.* SELECT debitorRel.*
FROM hs_office.relation debitorRel FROM hs_office.relation debitorRel
JOIN hs_office.debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid JOIN hs_office.debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
WHERE debitor.uuid = NEW.debitorUuid WHERE debitor.uuid = NEW.debitorUuid
INTO newDebitorRel; INTO newDebitorRel;
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s of sepamandate', NEW.debitorUuid); assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s of hs_office.sepamandate', NEW.debitorUuid);
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
@ -211,3 +211,41 @@ call rbac.generateRbacRestrictedView('hs_office.sepamandate',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-office-sepamandate-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_office.sepamandate', null, <<insert executing global admin user here>>);
-- call hs_office.sepamandate_rebuild_rbac_system();
-- commit;
create or replace procedure hs_office.sepamandate_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_office.sepamandate;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_office.sepamandate LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_office.sepamandate_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -40,7 +40,7 @@ begin
JOIN hs_office.relation AS partnerRel ON partnerRel.uuid = partner.partnerRelUuid JOIN hs_office.relation AS partnerRel ON partnerRel.uuid = partner.partnerRelUuid
WHERE partner.uuid = NEW.partnerUuid WHERE partner.uuid = NEW.partnerUuid
INTO newPartnerRel; INTO newPartnerRel;
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s of membership', NEW.partnerUuid); assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s of hs_office.membership', NEW.partnerUuid);
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
@ -193,3 +193,41 @@ call rbac.generateRbacRestrictedView('hs_office.membership',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-office-membership-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_office.membership', null, <<insert executing global admin user here>>);
-- call hs_office.membership_rebuild_rbac_system();
-- commit;
create or replace procedure hs_office.membership_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_office.membership;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_office.membership LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_office.membership_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -36,7 +36,7 @@ begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office.membership WHERE uuid = NEW.membershipUuid INTO newMembership; SELECT * FROM hs_office.membership WHERE uuid = NEW.membershipUuid INTO newMembership;
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s of coopshares', NEW.membershipUuid); assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s of hs_office.coopsharetx', NEW.membershipUuid);
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.membership_AGENT(newMembership)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.membership_AGENT(newMembership));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hs_office.membership_ADMIN(newMembership)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hs_office.membership_ADMIN(newMembership));
@ -164,3 +164,41 @@ call rbac.generateRbacRestrictedView('hs_office.coopsharetx',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-office-coopsharetx-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_office.coopsharetx', null, <<insert executing global admin user here>>);
-- call hs_office.coopsharetx_rebuild_rbac_system();
-- commit;
create or replace procedure hs_office.coopsharetx_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_office.coopsharetx;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_office.coopsharetx LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_office.coopsharetx_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -36,7 +36,7 @@ begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office.membership WHERE uuid = NEW.membershipUuid INTO newMembership; SELECT * FROM hs_office.membership WHERE uuid = NEW.membershipUuid INTO newMembership;
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s of coopasset', NEW.membershipUuid); assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s of hs_office.coopassettx', NEW.membershipUuid);
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.membership_AGENT(newMembership)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.membership_AGENT(newMembership));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hs_office.membership_ADMIN(newMembership)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hs_office.membership_ADMIN(newMembership));
@ -164,3 +164,41 @@ call rbac.generateRbacRestrictedView('hs_office.coopassettx',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-office-coopassettx-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_office.coopassettx', null, <<insert executing global admin user here>>);
-- call hs_office.coopassettx_rebuild_rbac_system();
-- commit;
create or replace procedure hs_office.coopassettx_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_office.coopassettx;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_office.coopassettx LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_office.coopassettx_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -37,14 +37,14 @@ begin
call rbac.enterTriggerForObjectUuid(NEW.uuid); call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office.debitor WHERE uuid = NEW.debitorUuid INTO newDebitor; SELECT * FROM hs_office.debitor WHERE uuid = NEW.debitorUuid INTO newDebitor;
assert newDebitor.uuid is not null, format('newDebitor must not be null for NEW.debitorUuid = %s of project', NEW.debitorUuid); assert newDebitor.uuid is not null, format('newDebitor must not be null for NEW.debitorUuid = %s of hs_booking.project', NEW.debitorUuid);
SELECT debitorRel.* SELECT debitorRel.*
FROM hs_office.relation debitorRel FROM hs_office.relation debitorRel
JOIN hs_office.debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid JOIN hs_office.debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
WHERE debitor.uuid = NEW.debitorUuid WHERE debitor.uuid = NEW.debitorUuid
INTO newDebitorRel; INTO newDebitorRel;
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s or project', NEW.debitorUuid); assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s of hs_booking.project', NEW.debitorUuid);
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
@ -204,3 +204,41 @@ call rbac.generateRbacRestrictedView('hs_booking.project',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-booking-project-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_booking.project', null, <<insert executing global admin user here>>);
-- call hs_booking.project_rebuild_rbac_system();
-- commit;
create or replace procedure hs_booking.project_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_booking.project;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_booking.project LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_booking.project_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -275,3 +275,41 @@ call rbac.generateRbacRestrictedView('hs_booking.item',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-booking-item-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_booking.item', null, <<insert executing global admin user here>>);
-- call hs_booking.item_rebuild_rbac_system();
-- commit;
create or replace procedure hs_booking.item_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_booking.item;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_booking.item LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_booking.item_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//

View File

@ -181,3 +181,41 @@ call rbac.generateRbacRestrictedView('hs_hosting.asset',
$updates$); $updates$);
--// --//
-- ============================================================================
--changeset RbacRbacSystemRebuildGenerator:hs-hosting-asset-rbac-rebuild endDelimiter:--//
-- ----------------------------------------------------------------------------
--
-- begin transaction;
-- call base.defineContext('re-creating RBAC for table hs_hosting.asset', null, <<insert executing global admin user here>>);
-- call hs_hosting.asset_rebuild_rbac_system();
-- commit;
create or replace procedure hs_hosting.asset_rebuild_rbac_system()
language plpgsql as $$
DECLARE
DECLARE
row hs_hosting.asset;
grantsAfter numeric;
grantsBefore numeric;
BEGIN
SELECT count(*) INTO grantsBefore FROM rbac.grants;
FOR row IN SELECT * FROM hs_hosting.asset LOOP
-- first delete all generated grants for this row from the previously defined RBAC system
DELETE FROM rbac.grants g
WHERE g.grantedbytriggerof = row.uuid;
-- then build the grants according to the currently defined RBAC rules
CALL hs_hosting.asset_build_rbac_system(row);
END LOOP;
select count(*) into grantsAfter from rbac.grants;
-- print how the total count of grants has changed
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
END;
$$;
--//