hostsharing/hs.hsadmin.ng
6
0
Fork 0
Code Pull Requests 2 Activity

most remaining from base+rbac

Browse Source
This commit is contained in:
Michael Hoennig 2024-09-14 10:34:11 +02:00
parent 6465a2457c
commit a7e3ae79d0
39 changed files with 244 additions and 244 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/adr/2022-07-18.row-level-security-mechanism.md
View File

@ -74,7 +74,7 @@ For restricted DB-users, which are used by the backend, access to rows is filter
FOR SELECT FOR SELECT
TO restricted TO restricted
USING ( USING (
isPermissionGrantedToSubject(findEffectivePermissionId('customer', id, 'view'), currentSubjectUuid()) rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('customer', id, 'view'), currentSubjectUuid())
); );
SET SESSION AUTHORIZATION restricted; SET SESSION AUTHORIZATION restricted;
@ -101,7 +101,7 @@ We are bound to PostgreSQL, including integration tests and testing the RBAC sys
CREATE OR REPLACE RULE "_RETURN" AS CREATE OR REPLACE RULE "_RETURN" AS
ON SELECT TO cust_view ON SELECT TO cust_view
DO INSTEAD DO INSTEAD
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('customer', id, 'view'), currentSubjectUuid()); SELECT * FROM customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('customer', id, 'view'), currentSubjectUuid());
SET SESSION AUTHORIZATION restricted; SET SESSION AUTHORIZATION restricted;
SET hsadminng.currentSubject TO 'alex@example.com'; SET hsadminng.currentSubject TO 'alex@example.com';

14
doc/rbac-performance-analysis.md
View File

@ -239,7 +239,7 @@ This did not improve the performance.
We were suspicious about the sequential scan over all `rbacpermission` rows which was done by PostgreSQL to execute a HashJoin strategy. Turning off that strategy by We were suspicious about the sequential scan over all `rbacpermission` rows which was done by PostgreSQL to execute a HashJoin strategy. Turning off that strategy by
```SQL ```SQL
ALTER FUNCTION queryAccessibleObjectUuidsOfSubjectIds SET enable_hashjoin = off; ALTER FUNCTION rbac.queryAccessibleObjectUuidsOfSubjectIds SET enable_hashjoin = off;
``` ```
did not improve the performance though. The HashJoin was actually still applied, but no full table scan anymore: did not improve the performance though. The HashJoin was actually still applied, but no full table scan anymore:
@ -273,9 +273,9 @@ At this point, the import took 21mins with these statistics:
| select hore1_0.uuid,a1_0.uuid,a1_0.familyname,a1_0.givenname,a1_0.persontype,a1_0.salutation,a1_0.title,a1_0.tradename,a1_0.version,c1_0.uuid,c1_0.caption,c1_0.emailaddresses,c1_0.phonenumbers,c1_0.postaladdress, c1_0.version,h1_0.uuid,h1_0.familyname,h1_0.givenname,h1_0.persontype,h1_0.salutation,h1_0.title,h1_0.tradename,h1_0.version,hore1_0.mark,hore1_0.type,hore1_0.version from public.hs_office_relation_rv hore1_0 left join public.hs_office_person_rv a1_0 on a1_0.uuid=hore1_0.anchoruuid left join public.hs_office_contact_rv c1_0 on c1_0.uuid=hore1_0.contactuuid left join public.hs_office_person_rv h1_0 on h1_0.uuid=hore1_0.holderuuid where hore1_0.uuid=$1 | 517 | 11 | 1282 | | select hore1_0.uuid,a1_0.uuid,a1_0.familyname,a1_0.givenname,a1_0.persontype,a1_0.salutation,a1_0.title,a1_0.tradename,a1_0.version,c1_0.uuid,c1_0.caption,c1_0.emailaddresses,c1_0.phonenumbers,c1_0.postaladdress, c1_0.version,h1_0.uuid,h1_0.familyname,h1_0.givenname,h1_0.persontype,h1_0.salutation,h1_0.title,h1_0.tradename,h1_0.version,hore1_0.mark,hore1_0.type,hore1_0.version from public.hs_office_relation_rv hore1_0 left join public.hs_office_person_rv a1_0 on a1_0.uuid=hore1_0.anchoruuid left join public.hs_office_contact_rv c1_0 on c1_0.uuid=hore1_0.contactuuid left join public.hs_office_person_rv h1_0 on h1_0.uuid=hore1_0.holderuuid where hore1_0.uuid=$1 | 517 | 11 | 1282 |
| select hope1_0.uuid,hope1_0.familyname,hope1_0.givenname,hope1_0.persontype,hope1_0.salutation,hope1_0.title,hope1_0.tradename,hope1_0.version from public.hs_office_person_rv hope1_0 where hope1_0.uuid=$1 | 973 | 4 | 254 | | select hope1_0.uuid,hope1_0.familyname,hope1_0.givenname,hope1_0.persontype,hope1_0.salutation,hope1_0.title,hope1_0.tradename,hope1_0.version from public.hs_office_person_rv hope1_0 where hope1_0.uuid=$1 | 973 | 4 | 254 |
| select hoce1_0.uuid,hoce1_0.caption,hoce1_0.emailaddresses,hoce1_0.phonenumbers,hoce1_0.postaladdress,hoce1_0.version from public.hs_office_contact_rv hoce1_0 where hoce1_0.uuid=$1 | 973 | 4 | 253 | | select hoce1_0.uuid,hoce1_0.caption,hoce1_0.emailaddresses,hoce1_0.phonenumbers,hoce1_0.postaladdress,hoce1_0.version from public.hs_office_contact_rv hoce1_0 where hoce1_0.uuid=$1 | 973 | 4 | 253 |
| call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) | 31316 | 0 | 1 | | call rbac.grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) | 31316 | 0 | 1 |
| call buildRbacSystemForHsHostingAsset(NEW) | 2258 | 0 | 7 | | call buildRbacSystemForHsHostingAsset(NEW) | 2258 | 0 | 7 |
| select * from isGranted(array[granteeId], grantedId) | 44613 | 0 | 0 | | select * from rbac.isGranted(array[granteeId], grantedId) | 44613 | 0 | 0 |
| insert into public.hs_hosting_asset_rv (alarmcontactuuid,assignedtoassetuuid,bookingitemuuid,caption,config,identifier,parentassetuuid,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10) | 2207 | 0 | 7 | | insert into public.hs_hosting_asset_rv (alarmcontactuuid,assignedtoassetuuid,bookingitemuuid,caption,config,identifier,parentassetuuid,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10) | 2207 | 0 | 7 |
| insert into hs_hosting_asset (alarmcontactuuid, version, bookingitemuuid, type, parentassetuuid, assignedtoassetuuid, config, uuid, identifier, caption) values (new.alarmcontactuuid, new. version, new. bookingitemuuid, new. type, new. parentassetuuid, new. assignedtoassetuuid, new. config, new. uuid, new. identifier, new. caption) returning * | 2207 | 0 | 7 | | insert into hs_hosting_asset (alarmcontactuuid, version, bookingitemuuid, type, parentassetuuid, assignedtoassetuuid, config, uuid, identifier, caption) values (new.alarmcontactuuid, new. version, new. bookingitemuuid, new. type, new. parentassetuuid, new. assignedtoassetuuid, new. config, new. uuid, new. identifier, new. caption) returning * | 2207 | 0 | 7 |
| insert into public.hs_office_relation_rv (anchoruuid,contactuuid,holderuuid,mark,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7) | 1261 | 0 | 9 | | insert into public.hs_office_relation_rv (anchoruuid,contactuuid,holderuuid,mark,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7) | 1261 | 0 | 9 |
@ -297,8 +297,8 @@ We changed these mappings from `EAGER` (default) to `LAZY` to `@ManyToOne(fetch
| select hope1_0.uuid,hope1_0.familyname,hope1_0.givenname,hope1_0.persontype,hope1_0.salutation,hope1_0.title,hope1_0.tradename,hope1_0.version from public.hs_office_person_rv hope1_0 where hope1_0.uuid=$1 | 1015 | 4 | 238 | | select hope1_0.uuid,hope1_0.familyname,hope1_0.givenname,hope1_0.persontype,hope1_0.salutation,hope1_0.title,hope1_0.tradename,hope1_0.version from public.hs_office_person_rv hope1_0 where hope1_0.uuid=$1 | 1015 | 4 | 238 |
| select hore1_0.uuid,hore1_0.anchoruuid,hore1_0.contactuuid,hore1_0.holderuuid,hore1_0.mark,hore1_0.type,hore1_0.version from public.hs_office_relation_rv hore1_0 where hore1_0.uuid=$1 | 517 | 4 | 439 | | select hore1_0.uuid,hore1_0.anchoruuid,hore1_0.contactuuid,hore1_0.holderuuid,hore1_0.mark,hore1_0.type,hore1_0.version from public.hs_office_relation_rv hore1_0 where hore1_0.uuid=$1 | 517 | 4 | 439 |
| select hoce1_0.uuid,hoce1_0.caption,hoce1_0.emailaddresses,hoce1_0.phonenumbers,hoce1_0.postaladdress,hoce1_0.version from public.hs_office_contact_rv hoce1_0 where hoce1_0.uuid=$1 | 497 | 2 | 213 | | select hoce1_0.uuid,hoce1_0.caption,hoce1_0.emailaddresses,hoce1_0.phonenumbers,hoce1_0.postaladdress,hoce1_0.version from public.hs_office_contact_rv hoce1_0 where hoce1_0.uuid=$1 | 497 | 2 | 213 |
| call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) | 31316 | 0 | 1 | | call rbac.grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) | 31316 | 0 | 1 |
| select * from isGranted(array[granteeId], grantedId) | 44613 | 0 | 0 | | select * from rbac.isGranted(array[granteeId], grantedId) | 44613 | 0 | 0 |
| call buildRbacSystemForHsHostingAsset(NEW) | 2258 | 0 | 7 | | call buildRbacSystemForHsHostingAsset(NEW) | 2258 | 0 | 7 |
| insert into public.hs_hosting_asset_rv (alarmcontactuuid,assignedtoassetuuid,bookingitemuuid,caption,config,identifier,parentassetuuid,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10) | 2207 | 0 | 7 | | insert into public.hs_hosting_asset_rv (alarmcontactuuid,assignedtoassetuuid,bookingitemuuid,caption,config,identifier,parentassetuuid,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10) | 2207 | 0 | 7 |
| insert into hs_hosting_asset (alarmcontactuuid, version, bookingitemuuid, type, parentassetuuid, assignedtoassetuuid, config, uuid, identifier, caption) values (new.alarmcontactuuid, new. version, new. bookingitemuuid, new. type, new. parentassetuuid, new. assignedtoassetuuid, new. config, new. uuid, new. identifier, new. caption) returning * | 2207 | 0 | 7 | | insert into hs_hosting_asset (alarmcontactuuid, version, bookingitemuuid, type, parentassetuuid, assignedtoassetuuid, config, uuid, identifier, caption) values (new.alarmcontactuuid, new. version, new. bookingitemuuid, new. type, new. parentassetuuid, new. assignedtoassetuuid, new. config, new. uuid, new. identifier, new. caption) returning * | 2207 | 0 | 7 |
@ -333,8 +333,8 @@ Now, the longest running queries are these:
| 1 | 13.093 | 4 | 21 | insert into hs_hosting_asset( uuid, type, bookingitemuuid, parentassetuuid, assignedtoassetuuid, alarmcontactuuid, identifier, caption, config, version) values ( $1, $2, $3, $4, $5, $6, $7, $8, cast($9 as jsonb), $10) | | 1 | 13.093 | 4 | 21 | insert into hs_hosting_asset( uuid, type, bookingitemuuid, parentassetuuid, assignedtoassetuuid, alarmcontactuuid, identifier, caption, config, version) values ( $1, $2, $3, $4, $5, $6, $7, $8, cast($9 as jsonb), $10) |
| 2 | 517 | 4 | 502 | select hore1_0.uuid,hore1_0.anchoruuid,hore1_0.contactuuid,hore1_0.holderuuid,hore1_0.mark,hore1_0.type,hore1_0.version from public.hs_office_relation_rv hore1_0 where hore1_0.uuid=$1 | | 2 | 517 | 4 | 502 | select hore1_0.uuid,hore1_0.anchoruuid,hore1_0.contactuuid,hore1_0.holderuuid,hore1_0.mark,hore1_0.type,hore1_0.version from public.hs_office_relation_rv hore1_0 where hore1_0.uuid=$1 |
| 3 | 13.144 | 4 | 21 | call buildRbacSystemForHsHostingAsset(NEW) | | 3 | 13.144 | 4 | 21 | call buildRbacSystemForHsHostingAsset(NEW) |
| 4 | 96.632 | 3 | 2 | call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) | | 4 | 96.632 | 3 | 2 | call rbac.grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) |
| 5 | 120.815 | 3 | 2 | select * from isGranted(array[granteeId], grantedId) | | 5 | 120.815 | 3 | 2 | select * from rbac.isGranted(array[granteeId], grantedId) |
| 6 | 123.740 | 3 | 2 | with recursive grants as ( select descendantUuid, ascendantUuid from RbacGrants where descendantUuid = grantedId union all select "grant".descendantUuid, "grant".ascendantUuid from RbacGrants "grant" inner join grants recur on recur.ascendantUuid = "grant".descendantUuid ) select exists ( select $3 from grants where ascendantUuid = any(granteeIds) ) or grantedId = any(granteeIds) | | 6 | 123.740 | 3 | 2 | with recursive grants as ( select descendantUuid, ascendantUuid from RbacGrants where descendantUuid = grantedId union all select "grant".descendantUuid, "grant".ascendantUuid from RbacGrants "grant" inner join grants recur on recur.ascendantUuid = "grant".descendantUuid ) select exists ( select $3 from grants where ascendantUuid = any(granteeIds) ) or grantedId = any(granteeIds) |
| 7 | 497 | 2 | 259 | select hoce1_0.uuid,hoce1_0.caption,hoce1_0.emailaddresses,hoce1_0.phonenumbers,hoce1_0.postaladdress,hoce1_0.version from public.hs_office_contact_rv hoce1_0 where hoce1_0.uuid=$1 | | 7 | 497 | 2 | 259 | select hoce1_0.uuid,hoce1_0.caption,hoce1_0.emailaddresses,hoce1_0.phonenumbers,hoce1_0.postaladdress,hoce1_0.version from public.hs_office_contact_rv hoce1_0 where hoce1_0.uuid=$1 |
| 8 | 497 | 2 | 255 | select hope1_0.uuid,hope1_0.familyname,hope1_0.givenname,hope1_0.persontype,hope1_0.salutation,hope1_0.title,hope1_0.tradename,hope1_0.version from public.hs_office_person_rv hope1_0 where hope1_0.uuid=$1 | | 8 | 497 | 2 | 255 | select hope1_0.uuid,hope1_0.familyname,hope1_0.givenname,hope1_0.persontype,hope1_0.salutation,hope1_0.title,hope1_0.tradename,hope1_0.version from public.hs_office_person_rv hope1_0 where hope1_0.uuid=$1 |

6
doc/rbac.md
View File

@ -605,7 +605,7 @@ Find the SQL script here: `28-hs-tests.sql`.
We have tested two variants of the query for the restricted view, We have tested two variants of the query for the restricted view,
both utilizing a PostgreSQL function like this: both utilizing a PostgreSQL function like this:
FUNCTION queryAccessibleObjectUuidsOfSubjectIds( FUNCTION rbac.queryAccessibleObjectUuidsOfSubjectIds(
requiredOp rbac.RbacOp, requiredOp rbac.RbacOp,
forObjectTable varchar, forObjectTable varchar,
subjectIds uuid[], subjectIds uuid[],
@ -623,7 +623,7 @@ Let's have a look at the two view queries:
FROM customer AS target FROM customer AS target
WHERE target.uuid IN ( WHERE target.uuid IN (
SELECT uuid SELECT uuid
FROM queryAccessibleObjectUuidsOfSubjectIds( FROM rbac.queryAccessibleObjectUuidsOfSubjectIds(
'SELECT, 'customer', currentSubjectOrAssumedRolesUuids())); 'SELECT, 'customer', currentSubjectOrAssumedRolesUuids()));
This view should be automatically updatable. This view should be automatically updatable.
@ -641,7 +641,7 @@ Looks like the query optimizer needed some statistics to find the best path.
CREATE OR REPLACE VIEW customer_rv AS CREATE OR REPLACE VIEW customer_rv AS
SELECT DISTINCT target.* SELECT DISTINCT target.*
FROM customer AS target FROM customer AS target
JOIN queryAccessibleObjectUuidsOfSubjectIds( JOIN rbac.queryAccessibleObjectUuidsOfSubjectIds(
'SELECT, 'customer', currentSubjectOrAssumedRolesUuids()) AS allowedObjId 'SELECT, 'customer', currentSubjectOrAssumedRolesUuids()) AS allowedObjId
ON target.uuid = allowedObjId; ON target.uuid = allowedObjId;

16
sql/rbac-tests.sql
View File

@ -3,10 +3,10 @@
-- -------------------------------------------------------- -- --------------------------------------------------------
select isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER')); select rbac.isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER'));
select isGranted(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators')); select rbac.isGranted(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators'));
-- call grantRoleToRole(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators')); -- call rbac.grantRoleToRole(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators'));
-- call grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER')); -- call rbac.grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER'));
select count(*) select count(*)
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacSubject('superuser-fran@hostsharing.net'), FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacSubject('superuser-fran@hostsharing.net'),
@ -19,11 +19,11 @@ select *
FROM queryAllPermissionsOfSubjectId(findRbacSubject('rosa@example.com')); FROM queryAllPermissionsOfSubjectId(findRbacSubject('rosa@example.com'));
select * select *
FROM queryAllRbacSubjectsWithPermissionsFor(findEffectivePermissionId('customer', FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('customer',
(SELECT uuid FROM RbacObject WHERE objectTable = 'customer' LIMIT 1), (SELECT uuid FROM RbacObject WHERE objectTable = 'customer' LIMIT 1),
'add-package')); 'add-package'));
select * select *
FROM queryAllRbacSubjectsWithPermissionsFor(findEffectivePermissionId('package', FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('package',
(SELECT uuid FROM RbacObject WHERE objectTable = 'package' LIMIT 1), (SELECT uuid FROM RbacObject WHERE objectTable = 'package' LIMIT 1),
'DELETE')); 'DELETE'));
@ -34,12 +34,12 @@ $$
result bool; result bool;
BEGIN BEGIN
userId = findRbacSubject('superuser-alex@hostsharing.net'); userId = findRbacSubject('superuser-alex@hostsharing.net');
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId)); result = (SELECT * FROM rbac.isPermissionGrantedToSubject(rbac.findPermissionId('package', 94928, 'add-package'), userId));
IF (result) THEN IF (result) THEN
RAISE EXCEPTION 'expected permission NOT to be granted, but it is'; RAISE EXCEPTION 'expected permission NOT to be granted, but it is';
end if; end if;
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'SELECT'), userId)); result = (SELECT * FROM rbac.isPermissionGrantedToSubject(rbac.findPermissionId('package', 94928, 'SELECT'), userId));
IF (NOT result) THEN IF (NOT result) THEN
RAISE EXCEPTION 'expected permission to be granted, but it is NOT'; RAISE EXCEPTION 'expected permission to be granted, but it is NOT';
end if; end if;

4
sql/rbac-view-option-experiments.sql
View File

@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer
TO restricted TO restricted
USING ( USING (
-- id=1000 -- id=1000
isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid()) rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid())
); );
SET SESSION AUTHORIZATION restricted; SET SESSION AUTHORIZATION restricted;
@ -35,7 +35,7 @@ SELECT * FROM customer;
CREATE OR REPLACE RULE "_RETURN" AS CREATE OR REPLACE RULE "_RETURN" AS
ON SELECT TO cust_view ON SELECT TO cust_view
DO INSTEAD DO INSTEAD
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid()); SELECT * FROM customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid());
SELECT * from cust_view LIMIT 10; SELECT * from cust_view LIMIT 10;
select queryAllPermissionsOfSubjectId(findRbacSubject('superuser-alex@hostsharing.net')); select queryAllPermissionsOfSubjectId(findRbacSubject('superuser-alex@hostsharing.net'));

2
src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProject.java
View File

@ -69,7 +69,7 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity<HsBo
public static RbacView rbac() { public static RbacView rbac() {
return rbacViewFor("project", HsBookingProject.class) return rbacViewFor("project", HsBookingProject.class)
.withIdentityView(SQL.query(""" .withIdentityView(SQL.query("""
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingProject.caption) as idName SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || base.cleanIdentifier(bookingProject.caption) as idName
FROM hs_booking_project bookingProject FROM hs_booking_project bookingProject
JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingProject.debitorUuid JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingProject.debitorUuid
""")) """))

2
src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRbacEntity.java
View File

@ -41,7 +41,7 @@ public class HsBookingProjectRbacEntity extends HsBookingProject {
public static RbacView rbac() { public static RbacView rbac() {
return rbacViewFor("project", HsBookingProjectRbacEntity.class) return rbacViewFor("project", HsBookingProjectRbacEntity.class)
.withIdentityView(SQL.query(""" .withIdentityView(SQL.query("""
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingProject.caption) as idName SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || base.cleanIdentifier(bookingProject.caption) as idName
FROM hs_booking_project bookingProject FROM hs_booking_project bookingProject
JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingProject.debitorUuid JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingProject.debitorUuid
""")) """))

10
src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java
View File

@ -72,7 +72,7 @@ public class InsertTriggerGenerator {
FOR row IN SELECT * FROM ${rawSuperTable} FOR row IN SELECT * FROM ${rawSuperTable}
${whenCondition} ${whenCondition}
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
createPermission(row.uuid, 'INSERT', '${rawSubTable}'), createPermission(row.uuid, 'INSERT', '${rawSubTable}'),
${superRoleRef}); ${superRoleRef});
END LOOP; END LOOP;
@ -106,7 +106,7 @@ public class InsertTriggerGenerator {
strict as $$ strict as $$
begin begin
${ifConditionThen} ${ifConditionThen}
call grantPermissionToRole( call rbac.grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'), createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'),
${superRoleRef}); ${superRoleRef});
${ifConditionEnd} ${ifConditionEnd}
@ -225,7 +225,7 @@ public class InsertTriggerGenerator {
plPgSql.writeLn( plPgSql.writeLn(
""" """
-- check INSERT permission via direct foreign key: NEW.${refColumn} -- check INSERT permission via direct foreign key: NEW.${refColumn}
if ${caseCondition}hasInsertPermission(NEW.${refColumn}, '${rawSubTable}') then if ${caseCondition}rbac.hasInsertPermission(NEW.${refColumn}, '${rawSubTable}') then
return NEW; return NEW;
end if; end if;
""", """,
@ -238,7 +238,7 @@ public class InsertTriggerGenerator {
-- check INSERT permission via indirect foreign key: NEW.${refColumn} -- check INSERT permission via indirect foreign key: NEW.${refColumn}
superObjectUuid := (${fetchSql}); superObjectUuid := (${fetchSql});
assert superObjectUuid is not null, 'object uuid fetched depending on ${rawSubTable}.${refColumn} must not be null, also check fetchSql in RBAC DSL'; assert superObjectUuid is not null, 'object uuid fetched depending on ${rawSubTable}.${refColumn} must not be null, also check fetchSql in RBAC DSL';
if ${caseCondition}hasInsertPermission(superObjectUuid, '${rawSubTable}') then if ${caseCondition}rbac.hasInsertPermission(superObjectUuid, '${rawSubTable}') then
return NEW; return NEW;
end if; end if;
""", """,
@ -255,7 +255,7 @@ public class InsertTriggerGenerator {
plPgSql.writeLn(); plPgSql.writeLn();
plPgSql.writeLn(""" plPgSql.writeLn("""
raise exception '[403] insert into ${rawSubTable} values(%) not allowed for current subjects % (%)', raise exception '[403] insert into ${rawSubTable} values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger ${rawSubTable}_insert_permission_check_tg create trigger ${rawSubTable}_insert_permission_check_tg

10
src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java
View File

@ -309,7 +309,7 @@ class RolesGrantsAndPermissionsGenerator {
private String generateRevoke(RbacGrantDefinition grantDef) { private String generateRevoke(RbacGrantDefinition grantDef) {
return switch (grantDef.grantType()) { return switch (grantDef.grantType()) {
case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant"); case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant");
case ROLE_TO_ROLE -> "call revokeRoleFromRole(${subRoleRef}, ${superRoleRef});" case ROLE_TO_ROLE -> "call rbac.revokeRoleFromRole(${subRoleRef}, ${superRoleRef});"
.replace("${subRoleRef}", roleRef(OLD, grantDef.getSubRoleDef())) .replace("${subRoleRef}", roleRef(OLD, grantDef.getSubRoleDef()))
.replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef())); .replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef()));
case PERM_TO_ROLE -> "call rbac.revokePermissionFromRole(${permRef}, ${superRoleRef});" case PERM_TO_ROLE -> "call rbac.revokePermissionFromRole(${permRef}, ${superRoleRef});"
@ -321,13 +321,13 @@ class RolesGrantsAndPermissionsGenerator {
private String generateGrant(RbacGrantDefinition grantDef) { private String generateGrant(RbacGrantDefinition grantDef) {
final var grantSql = switch (grantDef.grantType()) { final var grantSql = switch (grantDef.grantType()) {
case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant"); case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant");
case ROLE_TO_ROLE -> "call grantRoleToRole(${subRoleRef}, ${superRoleRef}${assumed});" case ROLE_TO_ROLE -> "call rbac.grantRoleToRole(${subRoleRef}, ${superRoleRef}${assumed});"
.replace("${assumed}", grantDef.isAssumed() ? "" : ", unassumed()") .replace("${assumed}", grantDef.isAssumed() ? "" : ", unassumed()")
.replace("${subRoleRef}", roleRef(NEW, grantDef.getSubRoleDef())) .replace("${subRoleRef}", roleRef(NEW, grantDef.getSubRoleDef()))
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef())); .replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
case PERM_TO_ROLE -> case PERM_TO_ROLE ->
grantDef.getPermDef().getPermission() == INSERT ? "" grantDef.getPermDef().getPermission() == INSERT ? ""
: "call grantPermissionToRole(${permRef}, ${superRoleRef});" : "call rbac.grantPermissionToRole(${permRef}, ${superRoleRef});"
.replace("${permRef}", createPerm(NEW, grantDef.getPermDef())) .replace("${permRef}", createPerm(NEW, grantDef.getPermDef()))
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef())); .replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
}; };
@ -335,11 +335,11 @@ class RolesGrantsAndPermissionsGenerator {
} }
private String findPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) { private String findPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
return permRef("findPermissionId", ref, permDef); return permRef("rbac.findPermissionId", ref, permDef);
} }
private String getPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) { private String getPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
return permRef("getPermissionId", ref, permDef); return permRef("rbac.getPermissionId", ref, permDef);
} }
private String createPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) { private String createPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {

20
src/main/resources/db/changelog/0-base/010-context.sql
View File

@ -142,7 +142,7 @@ begin
return string_to_array(current_setting('hsadminng.assumedRoles', true), ';'); return string_to_array(current_setting('hsadminng.assumedRoles', true), ';');
end; $$; end; $$;
create or replace function cleanIdentifier(rawIdentifier varchar) create or replace function base.cleanIdentifier(rawIdentifier varchar)
returns varchar returns varchar
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
@ -153,21 +153,21 @@ begin
return cleanIdentifier; return cleanIdentifier;
end; $$; end; $$;
create or replace function pureIdentifier(rawIdentifier varchar) create or replace function base.pureIdentifier(rawIdentifier varchar)
returns varchar returns varchar
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
declare declare
cleanIdentifier varchar; cleanIdentifier varchar;
begin begin
cleanIdentifier := cleanIdentifier(rawIdentifier); cleanIdentifier := base.cleanIdentifier(rawIdentifier);
if cleanIdentifier != rawIdentifier then if cleanIdentifier != rawIdentifier then
raise exception 'identifier "%" contains invalid characters, maybe use "%"', rawIdentifier, cleanIdentifier; raise exception 'identifier "%" contains invalid characters, maybe use "%"', rawIdentifier, cleanIdentifier;
end if; end if;
return cleanIdentifier; return cleanIdentifier;
end; $$; end; $$;
create or replace function findObjectUuidByIdName(objectTable varchar, objectIdName varchar) create or replace function base.findObjectUuidByIdName(objectTable varchar, objectIdName varchar)
returns uuid returns uuid
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
@ -175,8 +175,8 @@ declare
sql varchar; sql varchar;
uuid uuid; uuid uuid;
begin begin
objectTable := pureIdentifier(objectTable); objectTable := base.pureIdentifier(objectTable);
objectIdName := pureIdentifier(objectIdName); objectIdName := base.pureIdentifier(objectIdName);
sql := format('select * from %sUuidByIdName(%L);', objectTable, objectIdName); sql := format('select * from %sUuidByIdName(%L);', objectTable, objectIdName);
begin begin
execute sql into uuid; execute sql into uuid;
@ -187,7 +187,7 @@ begin
return uuid; return uuid;
end ; $$; end ; $$;
create or replace function findIdNameByObjectUuid(objectTable varchar, objectUuid uuid) create or replace function base.findIdNameByObjectUuid(objectTable varchar, objectUuid uuid)
returns varchar returns varchar
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
@ -195,7 +195,7 @@ declare
sql varchar; sql varchar;
idName varchar; idName varchar;
begin begin
objectTable := pureIdentifier(objectTable); objectTable := base.pureIdentifier(objectTable);
sql := format('select * from %sIdNameByUuid(%L::uuid);', objectTable, objectUuid); sql := format('select * from %sIdNameByUuid(%L::uuid);', objectTable, objectUuid);
begin begin
execute sql into idName; execute sql into idName;
@ -206,7 +206,7 @@ begin
return idName; return idName;
end ; $$; end ; $$;
create or replace function currentSubjects() create or replace function base.currentSubjects()
returns varchar(1023)[] returns varchar(1023)[]
stable -- leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
@ -221,7 +221,7 @@ begin
end if; end if;
end; $$; end; $$;
create or replace function hasAssumedRole() create or replace function base.hasAssumedRole()
returns boolean returns boolean
stable -- leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$

18
src/main/resources/db/changelog/0-base/020-audit-log.sql
View File

@ -8,8 +8,8 @@
*/ */
do $$ do $$
begin begin
if not exists(select 1 from pg_type where typname = 'operation') then if not exists(select 1 from pg_type where typname = 'base.tx_operation') then
create type "operation" as enum ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE'); create type base.tx_operation as enum ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE');
end if; end if;
--more types here... --more types here...
end $$; end $$;
@ -42,10 +42,10 @@ create index on base.tx_context using brin (txTimestamp);
*/ */
create table base.tx_journal create table base.tx_journal
( (
txId xid8 not null references base.tx_context (txId), txId xid8 not null references base.tx_context (txId),
targetTable text not null, targetTable text not null,
targetUuid uuid not null, -- Assumes that all audited tables have a uuid column. targetUuid uuid not null, -- Assumes that all audited tables have a uuid column.
targetOp operation not null, targetOp base.tx_operation not null,
targetDelta jsonb targetDelta jsonb
); );
@ -91,17 +91,17 @@ begin
when 'INSERT' then insert when 'INSERT' then insert
into base.tx_journal into base.tx_journal
values (curTxId, values (curTxId,
tg_table_name, new.uuid, tg_op::operation, tg_table_name, new.uuid, tg_op::base.tx_operation,
to_jsonb(new)); to_jsonb(new));
when 'UPDATE' then insert when 'UPDATE' then insert
into base.tx_journal into base.tx_journal
values (curTxId, values (curTxId,
tg_table_name, old.uuid, tg_op::operation, tg_table_name, old.uuid, tg_op::base.tx_operation,
base.jsonb_changes_delta(to_jsonb(old), to_jsonb(new))); base.jsonb_changes_delta(to_jsonb(old), to_jsonb(new)));
when 'DELETE' then insert when 'DELETE' then insert
into base.tx_journal into base.tx_journal
values (curTxId, values (curTxId,
tg_table_name, old.uuid, 'DELETE'::operation, tg_table_name, old.uuid, 'DELETE'::base.tx_operation,
null::jsonb); null::jsonb);
else raise exception 'Trigger op % not supported for %.', tg_op, tg_table_name; else raise exception 'Trigger op % not supported for %.', tg_op, tg_table_name;
end case; end case;

6
src/main/resources/db/changelog/0-base/030-historization.sql
View File

@ -40,9 +40,9 @@ end; $$;
--changeset hs-global-historization-tx-historicize-tf:1 endDelimiter:--// --changeset hs-global-historization-tx-historicize-tf:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create type base.tx_operation as enum ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE'); -- create type base.tx_operation as enum ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE');
create or replace function tx_historicize_tf() create or replace function base.tx_historicize_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
@ -153,7 +153,7 @@ begin
-- "-9-" to put the trigger execution after any alphabetically lesser tx-triggers -- "-9-" to put the trigger execution after any alphabetically lesser tx-triggers
createTriggerSQL = 'CREATE TRIGGER tx_9_historicize_tg' || createTriggerSQL = 'CREATE TRIGGER tx_9_historicize_tg' ||
' AFTER INSERT OR DELETE OR UPDATE ON ' || baseTable || ' AFTER INSERT OR DELETE OR UPDATE ON ' || baseTable ||
' FOR EACH ROW EXECUTE PROCEDURE tx_historicize_tf()'; ' FOR EACH ROW EXECUTE PROCEDURE base.tx_historicize_tf()';
raise notice 'sql: %', createTriggerSQL; raise notice 'sql: %', createTriggerSQL;
execute createTriggerSQL; execute createTriggerSQL;

58
src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
View File

@ -262,7 +262,7 @@ begin
objectTableFromRoleIdName = split_part(roleParts, '#', 1); objectTableFromRoleIdName = split_part(roleParts, '#', 1);
objectNameFromRoleIdName = split_part(roleParts, '#', 2); objectNameFromRoleIdName = split_part(roleParts, '#', 2);
roleTypeFromRoleIdName = split_part(roleParts, '#', 3); roleTypeFromRoleIdName = split_part(roleParts, '#', 3);
objectUuidOfRole = findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName); objectUuidOfRole = base.findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName);
select uuid select uuid
from rbac.role from rbac.role
@ -424,7 +424,7 @@ begin
return permissionUuid; return permissionUuid;
end; $$; end; $$;
create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null) create or replace function rbac.findEffectivePermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
returns uuid returns uuid
returns null on null input returns null on null input
stable -- leakproof stable -- leakproof
@ -436,7 +436,7 @@ select uuid
and p.opTableName = forOpTableName and p.opTableName = forOpTableName
$$; $$;
create or replace function findPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null) create or replace function rbac.findPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
returns uuid returns uuid
returns null on null input returns null on null input
stable -- leakproof stable -- leakproof
@ -448,7 +448,7 @@ select uuid
and p.opTableName = forOpTableName and p.opTableName = forOpTableName
$$; $$;
create or replace function getPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null) create or replace function rbac.getPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
returns uuid returns uuid
stable -- leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
@ -471,7 +471,7 @@ end; $$;
--changeset rbac-base-duplicate-role-grant-exception:1 endDelimiter:--// --changeset rbac-base-duplicate-role-grant-exception:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create or replace procedure raiseDuplicateRoleGrantException(subRoleId uuid, superRoleId uuid) create or replace procedure rbac.raiseDuplicateRoleGrantException(subRoleId uuid, superRoleId uuid)
language plpgsql as $$ language plpgsql as $$
declare declare
subRoleIdName text; subRoleIdName text;
@ -505,7 +505,7 @@ create index on rbac.grants (ascendantUuid);
create index on rbac.grants (descendantUuid); create index on rbac.grants (descendantUuid);
call base.create_journal('rbac.grants'); call base.create_journal('rbac.grants');
create or replace function findGrantees(grantedId uuid) create or replace function rbac.findGrantees(grantedId uuid)
returns setof rbac.reference returns setof rbac.reference
returns null on null input returns null on null input
language sql as $$ language sql as $$
@ -523,7 +523,7 @@ select ref.*
join rbac.reference ref on ref.uuid = grants.ascendantUuid; join rbac.reference ref on ref.uuid = grants.ascendantUuid;
$$; $$;
create or replace function isGranted(granteeIds uuid[], grantedId uuid) create or replace function rbac.isGranted(granteeIds uuid[], grantedId uuid)
returns bool returns bool
returns null on null input returns null on null input
language sql as $$ language sql as $$
@ -543,13 +543,13 @@ select exists (
) or grantedId = any(granteeIds); ) or grantedId = any(granteeIds);
$$; $$;
create or replace function isGranted(granteeId uuid, grantedId uuid) create or replace function rbac.isGranted(granteeId uuid, grantedId uuid)
returns bool returns bool
returns null on null input returns null on null input
language sql as $$ language sql as $$
select * from isGranted(array[granteeId], grantedId); select * from rbac.isGranted(array[granteeId], grantedId);
$$; $$;
create or replace function isPermissionGrantedToSubject(permissionId uuid, subjectId uuid) create or replace function rbac.isPermissionGrantedToSubject(permissionId uuid, subjectId uuid)
returns BOOL returns BOOL
stable -- leakproof stable -- leakproof
language sql as $$ language sql as $$
@ -569,19 +569,19 @@ select exists(
); );
$$; $$;
create or replace function hasInsertPermission(objectUuid uuid, tableName text ) create or replace function rbac.hasInsertPermission(objectUuid uuid, tableName text )
returns BOOL returns BOOL
stable -- leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
permissionUuid uuid; permissionUuid uuid;
begin begin
permissionUuid = findPermissionId(objectUuid, 'INSERT'::rbac.RbacOp, tableName); permissionUuid = rbac.findPermissionId(objectUuid, 'INSERT'::rbac.RbacOp, tableName);
return permissionUuid is not null; return permissionUuid is not null;
end; end;
$$; $$;
create or replace function hasGlobalRoleGranted(forAscendantUuid uuid) create or replace function rbac.hasGlobalRoleGranted(forAscendantUuid uuid)
returns bool returns bool
stable -- leakproof stable -- leakproof
language sql as $$ language sql as $$
@ -595,7 +595,7 @@ select exists(
); );
$$; $$;
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleUuid uuid) create or replace procedure rbac.grantPermissionToRole(permissionUuid uuid, roleUuid uuid)
language plpgsql as $$ language plpgsql as $$
begin begin
perform rbac.assertReferenceType('roleId (ascendant)', roleUuid, 'rbac.role'); perform rbac.assertReferenceType('roleId (ascendant)', roleUuid, 'rbac.role');
@ -608,21 +608,21 @@ begin
end; end;
$$; $$;
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor) create or replace procedure rbac.grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
language plpgsql as $$ language plpgsql as $$
begin begin
call grantPermissionToRole(permissionUuid, rbac.findRoleId(roleDesc)); call rbac.grantPermissionToRole(permissionUuid, rbac.findRoleId(roleDesc));
end; end;
$$; $$;
create or replace procedure grantRoleToRole(subRoleId uuid, superRoleId uuid, doAssume bool = true) create or replace procedure rbac.grantRoleToRole(subRoleId uuid, superRoleId uuid, doAssume bool = true)
language plpgsql as $$ language plpgsql as $$
begin begin
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role'); perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role'); perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
if isGranted(subRoleId, superRoleId) then if rbac.isGranted(subRoleId, superRoleId) then
call raiseDuplicateRoleGrantException(subRoleId, superRoleId); call rbac.raiseDuplicateRoleGrantException(subRoleId, superRoleId);
end if; end if;
insert insert
@ -632,13 +632,13 @@ begin
end; $$; end; $$;
create or replace procedure grantRoleToRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor, doAssume bool = true) create or replace procedure rbac.grantRoleToRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor, doAssume bool = true)
language plpgsql as $$ language plpgsql as $$
declare declare
superRoleId uuid; superRoleId uuid;
subRoleId uuid; subRoleId uuid;
begin begin
-- TODO.refa: maybe separate method grantRoleToRoleIfNotNull(...) for NULLABLE references -- TODO.refa: maybe separate method rbac.grantRoleToRoleIfNotNull(...) for NULLABLE references
if superRole.objectUuid is null or subRole.objectuuid is null then if superRole.objectUuid is null or subRole.objectuuid is null then
return; return;
end if; end if;
@ -649,8 +649,8 @@ begin
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role'); perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role'); perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
if isGranted(subRoleId, superRoleId) then if rbac.isGranted(subRoleId, superRoleId) then
call raiseDuplicateRoleGrantException(subRoleId, superRoleId); call rbac.raiseDuplicateRoleGrantException(subRoleId, superRoleId);
end if; end if;
insert insert
@ -659,7 +659,7 @@ begin
on conflict do nothing; -- allow granting multiple times on conflict do nothing; -- allow granting multiple times
end; $$; end; $$;
create or replace procedure revokeRoleFromRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor) create or replace procedure rbac.revokeRoleFromRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor)
language plpgsql as $$ language plpgsql as $$
declare declare
superRoleId uuid; superRoleId uuid;
@ -671,7 +671,7 @@ begin
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role'); perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role'); perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
if (isGranted(superRoleId, subRoleId)) then if (rbac.isGranted(superRoleId, subRoleId)) then
delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = subRoleId; delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = subRoleId;
else else
raise exception 'cannot revoke role % (%) from % (%) because it is not granted', raise exception 'cannot revoke role % (%) from % (%) because it is not granted',
@ -692,7 +692,7 @@ begin
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role'); perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission'); perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
if (isGranted(superRoleId, permissionId)) then if (rbac.isGranted(superRoleId, permissionId)) then
delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = permissionId; delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = permissionId;
else else
select p.op, o.objectTable, o.uuid select p.op, o.objectTable, o.uuid
@ -713,7 +713,7 @@ end; $$;
/* /*
*/ */
create or replace function queryAccessibleObjectUuidsOfSubjectIds( create or replace function rbac.queryAccessibleObjectUuidsOfSubjectIds(
requiredOp rbac.RbacOp, requiredOp rbac.RbacOp,
forObjectTable varchar, forObjectTable varchar,
subjectIds uuid[], subjectIds uuid[],
@ -765,7 +765,7 @@ $$;
/* /*
Returns all permissions accessible to the given subject UUID (subject or role). Returns all permissions accessible to the given subject UUID (subject or role).
*/ */
create or replace function queryPermissionsGrantedToSubjectId(subjectId uuid) create or replace function rbac.queryPermissionsGrantedToSubjectId(subjectId uuid)
returns setof rbac.permission returns setof rbac.permission
strict strict
language sql as $$ language sql as $$
@ -795,7 +795,7 @@ $$;
Returns all subject UUIDs which have any permission for the given object UUID. Returns all subject UUIDs which have any permission for the given object UUID.
*/ */
create or replace function queryAllRbacSubjectsWithPermissionsFor(objectId uuid) create or replace function rbac.queryAllRbacSubjectsWithPermissionsFor(objectId uuid)
returns setof rbac.subject returns setof rbac.subject
returns null on null input returns null on null input
language sql as $$ language sql as $$

22
src/main/resources/db/changelog/1-rbac/1051-rbac-subject-grant.sql
View File

@ -48,12 +48,12 @@ begin
assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null'; assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null';
assert subjectUuid is not null, 'subjectUuid must not be null'; assert subjectUuid is not null, 'subjectUuid must not be null';
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then if NOT rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
select roleIdName from rbac.role_ev where uuid=grantedByRoleUuid into grantedByRoleIdName; select roleIdName from rbac.role_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;
raise exception '[403] Access to granted-by-role % (%) forbidden for % (%)', raise exception '[403] Access to granted-by-role % (%) forbidden for % (%)',
grantedByRoleIdName, grantedByRoleUuid, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); grantedByRoleIdName, grantedByRoleUuid, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end if; end if;
if NOT isGranted(grantedByRoleUuid, grantedRoleUuid) then if NOT rbac.isGranted(grantedByRoleUuid, grantedRoleUuid) then
select roleIdName from rbac.role_ev where uuid=grantedByRoleUuid into grantedByRoleIdName; select roleIdName from rbac.role_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;
select roleIdName from rbac.role_ev where uuid=grantedRoleUuid into grantedRoleIdName; select roleIdName from rbac.role_ev where uuid=grantedRoleUuid into grantedRoleIdName;
raise exception '[403] Access to granted role % (%) forbidden for % (%)', raise exception '[403] Access to granted role % (%) forbidden for % (%)',
@ -81,20 +81,20 @@ begin
perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'rbac.role'); perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'rbac.role');
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject'); perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then if NOT rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, currentSubjects(); raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, rbac.currentSubjects();
end if; end if;
if NOT isGranted(grantedByRoleUuid, grantedRoleUuid) then if NOT rbac.isGranted(grantedByRoleUuid, grantedRoleUuid) then
raise exception '[403] Revoking role % is forbidden for %.', grantedRoleUuid, currentSubjects(); raise exception '[403] Revoking role % is forbidden for %.', grantedRoleUuid, rbac.currentSubjects();
end if; end if;
--raise exception 'isGranted(%, %)', rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid; --raise exception 'rbac.isGranted(%, %)', rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid;
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then if NOT rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, currentSubjects(); raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, rbac.currentSubjects();
end if; end if;
if NOT isGranted(subjectUuid, grantedRoleUuid) then if NOT rbac.isGranted(subjectUuid, grantedRoleUuid) then
raise exception '[404] No such grant found granted by % for subject % to role %.', grantedByRoleUuid, subjectUuid, grantedRoleUuid; raise exception '[404] No such grant found granted by % for subject % to role %.', grantedByRoleUuid, subjectUuid, grantedRoleUuid;
end if; end if;
end; $$; end; $$;

12
src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
View File

@ -5,7 +5,7 @@
--changeset rbac-context-DETERMINE:1 endDelimiter:--// --changeset rbac-context-DETERMINE:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create or replace function determineCurrentSubjectUuid(currentSubject varchar) create or replace function rbac.determineCurrentSubjectUuid(currentSubject varchar)
returns uuid returns uuid
stable -- leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
@ -23,7 +23,7 @@ begin
return currentSubjectUuid; return currentSubjectUuid;
end; $$; end; $$;
create or replace function determineCurrentSubjectOrAssumedRolesUuids(currentSubjectOrAssumedRolesUuids uuid, assumedRoles varchar) create or replace function rbac.determinecurrentsubjectorassumedrolesuuids(currentSubjectOrAssumedRolesUuids uuid, assumedRoles varchar)
returns uuid[] returns uuid[]
stable -- leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
@ -55,7 +55,7 @@ begin
objectNameToAssume = split_part(roleNameParts, '#', 2); objectNameToAssume = split_part(roleNameParts, '#', 2);
roleTypeToAssume = split_part(roleNameParts, '#', 3); roleTypeToAssume = split_part(roleNameParts, '#', 3);
objectUuidToAssume = findObjectUuidByIdName(objectTableToAssume, objectNameToAssume); objectUuidToAssume = base.findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
if objectUuidToAssume is null then if objectUuidToAssume is null then
raise exception '[401] object % cannot be found in table % (from roleNameParts=%)', objectNameToAssume, objectTableToAssume, roleNameParts; raise exception '[401] object % cannot be found in table % (from roleNameParts=%)', objectNameToAssume, objectTableToAssume, roleNameParts;
end if; end if;
@ -68,7 +68,7 @@ begin
if roleUuidToAssume is null then if roleUuidToAssume is null then
raise exception '[403] role % does not exist or is not accessible for subject %', roleName, base.currentSubject(); raise exception '[403] role % does not exist or is not accessible for subject %', roleName, base.currentSubject();
end if; end if;
if not isGranted(currentSubjectOrAssumedRolesUuids, roleUuidToAssume) then if not rbac.isGranted(currentSubjectOrAssumedRolesUuids, roleUuidToAssume) then
raise exception '[403] subject % has no permission to assume role %', base.currentSubject(), roleName; raise exception '[403] subject % has no permission to assume role %', base.currentSubject(), roleName;
end if; end if;
roleIdsToAssume := roleIdsToAssume || roleUuidToAssume; roleIdsToAssume := roleIdsToAssume || roleUuidToAssume;
@ -99,12 +99,12 @@ begin
execute format('set local hsadminng.currentRequest to %L', currentRequest); execute format('set local hsadminng.currentRequest to %L', currentRequest);
execute format('set local hsadminng.currentSubject to %L', currentSubject); execute format('set local hsadminng.currentSubject to %L', currentSubject);
select determineCurrentSubjectUuid(currentSubject) into currentSubjectUuid; select rbac.determineCurrentSubjectUuid(currentSubject) into currentSubjectUuid;
execute format('set local hsadminng.currentSubjectUuid to %L', coalesce(currentSubjectUuid::text, '')); execute format('set local hsadminng.currentSubjectUuid to %L', coalesce(currentSubjectUuid::text, ''));
execute format('set local hsadminng.assumedRoles to %L', assumedRoles); execute format('set local hsadminng.assumedRoles to %L', assumedRoles);
execute format('set local hsadminng.currentSubjectOrAssumedRolesUuids to %L', execute format('set local hsadminng.currentSubjectOrAssumedRolesUuids to %L',
(select array_to_string(determineCurrentSubjectOrAssumedRolesUuids(currentSubjectUuid, assumedRoles), ';'))); (select array_to_string(rbac.determinecurrentsubjectorassumedrolesuuids(currentSubjectUuid, assumedRoles), ';')));
raise notice 'Context defined as: %, %, %, [%]', currentTask, currentRequest, currentSubject, assumedRoles; raise notice 'Context defined as: %, %, %, [%]', currentTask, currentRequest, currentSubject, assumedRoles;
end; $$; end; $$;

40
src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql
View File

@ -13,7 +13,7 @@ select (objectTable || '#' || objectIdName || ':' || roleType) as roleIdName, *
-- @formatter:off -- @formatter:off
from ( from (
select r.*, select r.*,
o.objectTable, findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName o.objectTable, base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
from rbac.role as r from rbac.role as r
join rbac.object as o on o.uuid = r.objectuuid join rbac.object as o on o.uuid = r.objectuuid
) as unordered ) as unordered
@ -34,10 +34,10 @@ select *
-- @formatter:off -- @formatter:off
from ( from (
select r.*, o.objectTable, select r.*, o.objectTable,
findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
from rbac.role as r from rbac.role as r
join rbac.object as o on o.uuid = r.objectuuid join rbac.object as o on o.uuid = r.objectuuid
where isGranted(rbac.currentSubjectOrAssumedRolesUuids(), r.uuid) where rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), r.uuid)
) as unordered ) as unordered
-- @formatter:on -- @formatter:on
order by objectTable || '#' || objectIdName || ':' || roleType; order by objectTable || '#' || objectIdName || ':' || roleType;
@ -57,7 +57,7 @@ create or replace view rbacgrants_ev as
-- @formatter:off -- @formatter:off
select x.grantUuid as uuid, select x.grantUuid as uuid,
x.grantedByTriggerOf as grantedByTriggerOf, x.grantedByTriggerOf as grantedByTriggerOf,
go.objectTable || '#' || findIdNameByObjectUuid(go.objectTable, go.uuid) || ':' || r.roletype as grantedByRoleIdName, go.objectTable || '#' || base.findIdNameByObjectUuid(go.objectTable, go.uuid) || ':' || r.roletype as grantedByRoleIdName,
x.ascendingIdName as ascendantIdName, x.ascendingIdName as ascendantIdName,
x.descendingIdName as descendantIdName, x.descendingIdName as descendantIdName,
x.grantedByRoleUuid, x.grantedByRoleUuid,
@ -72,15 +72,15 @@ create or replace view rbacgrants_ev as
coalesce( coalesce(
'user:' || au.name, 'user:' || au.name,
'role:' || aro.objectTable || '#' || findIdNameByObjectUuid(aro.objectTable, aro.uuid) || ':' || ar.roletype 'role:' || aro.objectTable || '#' || base.findIdNameByObjectUuid(aro.objectTable, aro.uuid) || ':' || ar.roletype
) as ascendingIdName, ) as ascendingIdName,
aro.objectTable, aro.uuid, aro.objectTable, aro.uuid,
( case ( case
when dro is not null when dro is not null
then ('role:' || dro.objectTable || '#' || findIdNameByObjectUuid(dro.objectTable, dro.uuid) || ':' || dr.roletype) then ('role:' || dro.objectTable || '#' || base.findIdNameByObjectUuid(dro.objectTable, dro.uuid) || ':' || dr.roletype)
when dp.op = 'INSERT' when dp.op = 'INSERT'
then 'perm:' || dpo.objecttable || '#' || findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op || '>' || dp.opTableName then 'perm:' || dpo.objecttable || '#' || base.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op || '>' || dp.opTableName
else 'perm:' || dpo.objecttable || '#' || findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op else 'perm:' || dpo.objecttable || '#' || base.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op
end end
) as descendingIdName, ) as descendingIdName,
dro.objectTable, dro.uuid, dro.objectTable, dro.uuid,
@ -115,19 +115,19 @@ create or replace view rbacgrants_ev as
drop view if exists rbacgrants_rv; drop view if exists rbacgrants_rv;
create or replace view rbacgrants_rv as create or replace view rbacgrants_rv as
-- @formatter:off -- @formatter:off
select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName, select o.objectTable || '#' || base.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed, g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid, g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid,
g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType
from ( from (
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed, select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
u.name as userName, o.objecttable, r.objectuuid, r.roletype, u.name as userName, o.objecttable, r.objectuuid, r.roletype,
findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
from rbac.grants as g from rbac.grants as g
join rbac.role as r on r.uuid = g.descendantUuid join rbac.role as r on r.uuid = g.descendantUuid
join rbac.object o on o.uuid = r.objectuuid join rbac.object o on o.uuid = r.objectuuid
left outer join rbac.subject u on u.uuid = g.ascendantuuid left outer join rbac.subject u on u.uuid = g.ascendantuuid
where isGranted(rbac.currentSubjectOrAssumedRolesUuids(), r.uuid) where rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), r.uuid)
) as g ) as g
join rbac.role as r on r.uuid = grantedByRoleUuid join rbac.role as r on r.uuid = grantedByRoleUuid
join rbac.object as o on o.uuid = r.objectUuid join rbac.object as o on o.uuid = r.objectUuid
@ -242,7 +242,7 @@ create or replace view rbac.subject_rv as
select users.* select users.*
from rbac.subject as users from rbac.subject as users
where cardinality(base.assumedRoles()) = 0 and where cardinality(base.assumedRoles()) = 0 and
(rbac.currentSubjectUuid() = users.uuid or hasGlobalRoleGranted(rbac.currentSubjectUuid())) (rbac.currentSubjectUuid() = users.uuid or rbac.hasGlobalRoleGranted(rbac.currentSubjectUuid()))
) as unordered ) as unordered
-- @formatter:on -- @formatter:on
@ -295,11 +295,11 @@ execute function rbac.insert_subject_tf();
Checks if the current subject (user / assumed role) has the permission to delete the user. Checks if the current subject (user / assumed role) has the permission to delete the user.
*/ */
create or replace function delete_subject_tf() create or replace function rbac.delete_subject_tf()
returns trigger returns trigger
language plpgsql as $$ language plpgsql as $$
begin begin
if rbac.currentSubjectUuid() = old.uuid or hasGlobalRoleGranted(rbac.currentSubjectUuid()) then if rbac.currentSubjectUuid() = old.uuid or rbac.hasGlobalRoleGranted(rbac.currentSubjectUuid()) then
delete from rbac.subject where uuid = old.uuid; delete from rbac.subject where uuid = old.uuid;
return old; return old;
end if; end if;
@ -313,7 +313,7 @@ create trigger delete_subject_tg
instead of delete instead of delete
on rbac.subject_rv on rbac.subject_rv
for each row for each row
execute function delete_subject_tf(); execute function rbac.delete_subject_tf();
--/ --/
-- ============================================================================ -- ============================================================================
@ -353,7 +353,7 @@ begin
-- @formatter:off -- @formatter:off
currentSubjectUuid := rbac.currentSubjectUuid(); currentSubjectUuid := rbac.currentSubjectUuid();
if hasGlobalRoleGranted(targetSubjectUuid) and not hasGlobalRoleGranted(currentSubjectUuid) then if rbac.hasGlobalRoleGranted(targetSubjectUuid) and not rbac.hasGlobalRoleGranted(currentSubjectUuid) then
raise exception '[403] permissions of user "%" are not accessible to user "%"', targetSubjectUuid, base.currentSubject(); raise exception '[403] permissions of user "%" are not accessible to user "%"', targetSubjectUuid, base.currentSubject();
end if; end if;
@ -364,17 +364,17 @@ begin
xp.permissionObjectTable, xp.permissionObjectIdName, xp.permissionObjectUuid xp.permissionObjectTable, xp.permissionObjectIdName, xp.permissionObjectUuid
from (select from (select
r.uuid as roleUuid, r.roletype, ro.objectTable as roleObjectTable, r.uuid as roleUuid, r.roletype, ro.objectTable as roleObjectTable,
findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName, base.findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName,
p.uuid as permissionUuid, p.op, p.opTableName, p.uuid as permissionUuid, p.op, p.opTableName,
po.objecttable as permissionObjectTable, po.objecttable as permissionObjectTable,
findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName, base.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
po.uuid as permissionObjectUuid po.uuid as permissionObjectUuid
from queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p from rbac.queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p
join rbac.grants as g on g.descendantUuid = p.uuid join rbac.grants as g on g.descendantUuid = p.uuid
join rbac.object as po on po.uuid = p.objectUuid join rbac.object as po on po.uuid = p.objectUuid
join rbac.role_rv as r on r.uuid = g.ascendantUuid join rbac.role_rv as r on r.uuid = g.ascendantUuid
join rbac.object as ro on ro.uuid = r.objectUuid join rbac.object as ro on ro.uuid = r.objectUuid
where isGranted(targetSubjectUuid, r.uuid) where rbac.isGranted(targetSubjectUuid, r.uuid)
) xp; ) xp;
-- @formatter:on -- @formatter:on
end; $$; end; $$;

6
src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql
View File

@ -33,19 +33,19 @@ begin
foreach permission in array permissions foreach permission in array permissions
loop loop
permissionUuid := rbac.createPermission(roleDescriptor.objectuuid, permission); permissionUuid := rbac.createPermission(roleDescriptor.objectuuid, permission);
call grantPermissionToRole(permissionUuid, roleUuid); call rbac.grantPermissionToRole(permissionUuid, roleUuid);
end loop; end loop;
foreach superRoleDesc in array array_remove(incomingSuperRoles, null) foreach superRoleDesc in array array_remove(incomingSuperRoles, null)
loop loop
superRoleUuid := rbac.getRoleId(superRoleDesc); superRoleUuid := rbac.getRoleId(superRoleDesc);
call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed); call rbac.grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed);
end loop; end loop;
foreach subRoleDesc in array array_remove(outgoingSubRoles, null) foreach subRoleDesc in array array_remove(outgoingSubRoles, null)
loop loop
subRoleUuid := rbac.getRoleId(subRoleDesc); subRoleUuid := rbac.getRoleId(subRoleDesc);
call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed); call rbac.grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
end loop; end loop;
if cardinality(subjectUuids) > 0 then if cardinality(subjectUuids) > 0 then

6
src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
View File

@ -148,7 +148,7 @@ begin
targettable := lower(targettable); targettable := lower(targettable);
sqlQuery = format($sql$ sqlQuery = format($sql$
select target.uuid, cleanIdentifier(%2$s) as idName select target.uuid, base.cleanIdentifier(%2$s) as idName
from %1$s as target; from %1$s as target;
$sql$, targetTable, sqlProjection); $sql$, targetTable, sqlProjection);
call rbac.generateRbacIdentityViewFromQuery(targetTable, sqlQuery); call rbac.generateRbacIdentityViewFromQuery(targetTable, sqlQuery);
@ -256,7 +256,7 @@ begin
returns trigger returns trigger
language plpgsql as $f$ language plpgsql as $f$
begin begin
if old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('DELETE', '%1$s', rbac.currentSubjectOrAssumedRolesUuids())) then if old.uuid in (select rbac.queryAccessibleObjectUuidsOfSubjectIds('DELETE', '%1$s', rbac.currentSubjectOrAssumedRolesUuids())) then
delete from %1$s p where p.uuid = old.uuid; delete from %1$s p where p.uuid = old.uuid;
return old; return old;
end if; end if;
@ -287,7 +287,7 @@ begin
returns trigger returns trigger
language plpgsql as $f$ language plpgsql as $f$
begin begin
if old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('UPDATE', '%1$s', rbac.currentSubjectOrAssumedRolesUuids())) then if old.uuid in (select rbac.queryAccessibleObjectUuidsOfSubjectIds('UPDATE', '%1$s', rbac.currentSubjectOrAssumedRolesUuids())) then
update %1$s update %1$s
set %2$s set %2$s
where uuid = old.uuid; where uuid = old.uuid;

4
src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
View File

@ -30,7 +30,7 @@ create or replace function rbac.isGlobalAdmin()
returns boolean returns boolean
language plpgsql as $$ language plpgsql as $$
begin begin
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(rbac.globalAdmin())); return rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(rbac.globalAdmin()));
end; $$; end; $$;
--// --//
@ -45,7 +45,7 @@ create or replace function rbac.hasGlobalPermission(op rbac.RbacOp)
$$ $$
-- TODO.perf: this could to be optimized -- TODO.perf: this could to be optimized
select (select uuid from rbac.global) in select (select uuid from rbac.global) in
(select queryAccessibleObjectUuidsOfSubjectIds(op, 'rbac.global', rbac.currentSubjectOrAssumedRolesUuids())); (select rbac.queryAccessibleObjectUuidsOfSubjectIds(op, 'rbac.global', rbac.currentSubjectOrAssumedRolesUuids()));
$$; $$;
--// --//

6
src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql
View File

@ -94,7 +94,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM rbac.global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'), rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
rbac.globalAdmin()); rbac.globalAdmin());
END LOOP; END LOOP;
@ -110,7 +110,7 @@ create or replace function new_test_customer_grants_insert_to_global_tf()
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'), rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
rbac.globalAdmin()); rbac.globalAdmin());
-- end. -- end.
@ -143,7 +143,7 @@ begin
end if; end if;
raise exception '[403] insert into test_customer values(%) not allowed for current subjects % (%)', raise exception '[403] insert into test_customer values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger test_customer_insert_permission_check_tg create trigger test_customer_insert_permission_check_tg

16
src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql
View File

@ -110,11 +110,11 @@ begin
if NEW.customerUuid <> OLD.customerUuid then if NEW.customerUuid <> OLD.customerUuid then
call revokeRoleFromRole(testPackageOWNER(OLD), testCustomerADMIN(oldCustomer)); call rbac.revokeRoleFromRole(testPackageOWNER(OLD), testCustomerADMIN(oldCustomer));
call grantRoleToRole(testPackageOWNER(NEW), testCustomerADMIN(newCustomer)); call rbac.grantRoleToRole(testPackageOWNER(NEW), testCustomerADMIN(newCustomer));
call revokeRoleFromRole(testCustomerTENANT(oldCustomer), testPackageTENANT(OLD)); call rbac.revokeRoleFromRole(testCustomerTENANT(oldCustomer), testPackageTENANT(OLD));
call grantRoleToRole(testCustomerTENANT(newCustomer), testPackageTENANT(NEW)); call rbac.grantRoleToRole(testCustomerTENANT(newCustomer), testPackageTENANT(NEW));
end if; end if;
@ -159,7 +159,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM test_customer FOR row IN SELECT * FROM test_customer
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'test_package'), rbac.createPermission(row.uuid, 'INSERT', 'test_package'),
testCustomerADMIN(row)); testCustomerADMIN(row));
END LOOP; END LOOP;
@ -175,7 +175,7 @@ create or replace function new_test_package_grants_insert_to_test_customer_tf()
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'test_package'), rbac.createPermission(NEW.uuid, 'INSERT', 'test_package'),
testCustomerADMIN(NEW)); testCustomerADMIN(NEW));
-- end. -- end.
@ -203,12 +203,12 @@ declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT permission via direct foreign key: NEW.customerUuid -- check INSERT permission via direct foreign key: NEW.customerUuid
if hasInsertPermission(NEW.customerUuid, 'test_package') then if rbac.hasInsertPermission(NEW.customerUuid, 'test_package') then
return NEW; return NEW;
end if; end if;
raise exception '[403] insert into test_package values(%) not allowed for current subjects % (%)', raise exception '[403] insert into test_package values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger test_package_insert_permission_check_tg create trigger test_package_insert_permission_check_tg

20
src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql
View File

@ -106,14 +106,14 @@ begin
if NEW.packageUuid <> OLD.packageUuid then if NEW.packageUuid <> OLD.packageUuid then
call revokeRoleFromRole(testDomainOWNER(OLD), testPackageADMIN(oldPackage)); call rbac.revokeRoleFromRole(testDomainOWNER(OLD), testPackageADMIN(oldPackage));
call grantRoleToRole(testDomainOWNER(NEW), testPackageADMIN(newPackage)); call rbac.grantRoleToRole(testDomainOWNER(NEW), testPackageADMIN(newPackage));
call revokeRoleFromRole(testPackageTENANT(oldPackage), testDomainOWNER(OLD)); call rbac.revokeRoleFromRole(testPackageTENANT(oldPackage), testDomainOWNER(OLD));
call grantRoleToRole(testPackageTENANT(newPackage), testDomainOWNER(NEW)); call rbac.grantRoleToRole(testPackageTENANT(newPackage), testDomainOWNER(NEW));
call revokeRoleFromRole(testPackageTENANT(oldPackage), testDomainADMIN(OLD)); call rbac.revokeRoleFromRole(testPackageTENANT(oldPackage), testDomainADMIN(OLD));
call grantRoleToRole(testPackageTENANT(newPackage), testDomainADMIN(NEW)); call rbac.grantRoleToRole(testPackageTENANT(newPackage), testDomainADMIN(NEW));
end if; end if;
@ -158,7 +158,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM test_package FOR row IN SELECT * FROM test_package
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'test_domain'), rbac.createPermission(row.uuid, 'INSERT', 'test_domain'),
testPackageADMIN(row)); testPackageADMIN(row));
END LOOP; END LOOP;
@ -174,7 +174,7 @@ create or replace function new_test_domain_grants_insert_to_test_package_tf()
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'test_domain'), rbac.createPermission(NEW.uuid, 'INSERT', 'test_domain'),
testPackageADMIN(NEW)); testPackageADMIN(NEW));
-- end. -- end.
@ -202,12 +202,12 @@ declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT permission via direct foreign key: NEW.packageUuid -- check INSERT permission via direct foreign key: NEW.packageUuid
if hasInsertPermission(NEW.packageUuid, 'test_domain') then if rbac.hasInsertPermission(NEW.packageUuid, 'test_domain') then
return NEW; return NEW;
end if; end if;
raise exception '[403] insert into test_domain values(%) not allowed for current subjects % (%)', raise exception '[403] insert into test_domain values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger test_domain_insert_permission_check_tg create trigger test_domain_insert_permission_check_tg

2
src/main/resources/db/changelog/5-hs-office/501-contact/5018-hs-office-contact-test-data.sql
View File

@ -14,7 +14,7 @@ declare
postalAddr varchar; postalAddr varchar;
emailAddr varchar; emailAddr varchar;
begin begin
emailAddr = 'contact-admin@' || cleanIdentifier(contCaption) || '.example.com'; emailAddr = 'contact-admin@' || base.cleanIdentifier(contCaption) || '.example.com';
call base.defineContext('creating contact test-data'); call base.defineContext('creating contact test-data');
perform rbac.create_subject(emailAddr); perform rbac.create_subject(emailAddr);
call base.defineContext('creating contact test-data', null, emailAddr); call base.defineContext('creating contact test-data', null, emailAddr);

2
src/main/resources/db/changelog/5-hs-office/502-person/5028-hs-office-person-test-data.sql
View File

@ -20,7 +20,7 @@ declare
emailAddr varchar; emailAddr varchar;
begin begin
fullName := concat_ws(', ', newTradeName, newFamilyName, newGivenName); fullName := concat_ws(', ', newTradeName, newFamilyName, newGivenName);
emailAddr = 'person-' || left(cleanIdentifier(fullName), 32) || '@example.com'; emailAddr = 'person-' || left(base.cleanIdentifier(fullName), 32) || '@example.com';
call base.defineContext('creating person test-data'); call base.defineContext('creating person test-data');
perform rbac.create_subject(emailAddr); perform rbac.create_subject(emailAddr);
call base.defineContext('creating person test-data', null, emailAddr); call base.defineContext('creating person test-data', null, emailAddr);

18
src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql
View File

@ -78,12 +78,12 @@ begin
); );
IF NEW.type = 'REPRESENTATIVE' THEN IF NEW.type = 'REPRESENTATIVE' THEN
call grantRoleToRole(hsOfficePersonOWNER(newAnchorPerson), hsOfficeRelationADMIN(NEW)); call rbac.grantRoleToRole(hsOfficePersonOWNER(newAnchorPerson), hsOfficeRelationADMIN(NEW));
call grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newAnchorPerson)); call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newAnchorPerson));
call grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson)); call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson));
ELSE ELSE
call grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson)); call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson));
call grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newAnchorPerson)); call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newAnchorPerson));
END IF; END IF;
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
@ -168,7 +168,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM hs_office_person FOR row IN SELECT * FROM hs_office_person
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_relation'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
hsOfficePersonADMIN(row)); hsOfficePersonADMIN(row));
END LOOP; END LOOP;
@ -184,7 +184,7 @@ create or replace function new_hs_office_relation_grants_insert_to_hs_office_per
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
hsOfficePersonADMIN(NEW)); hsOfficePersonADMIN(NEW));
-- end. -- end.
@ -212,12 +212,12 @@ declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT permission via direct foreign key: NEW.anchorUuid -- check INSERT permission via direct foreign key: NEW.anchorUuid
if hasInsertPermission(NEW.anchorUuid, 'hs_office_relation') then if rbac.hasInsertPermission(NEW.anchorUuid, 'hs_office_relation') then
return NEW; return NEW;
end if; end if;
raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)', raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)',
currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger hs_office_relation_insert_permission_check_tg create trigger hs_office_relation_insert_permission_check_tg

2
src/main/resources/db/changelog/5-hs-office/503-relation/5038-hs-office-relation-test-data.sql
View File

@ -22,7 +22,7 @@ declare
contact hs_office_contact; contact hs_office_contact;
begin begin
idName := cleanIdentifier( anchorPersonName || '-' || holderPersonName); idName := base.cleanIdentifier( anchorPersonName || '-' || holderPersonName);
select p.* select p.*
into anchorPerson into anchorPerson

42
src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql
View File

@ -42,12 +42,12 @@ begin
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails; SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid); assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -110,23 +110,23 @@ begin
if NEW.partnerRelUuid <> OLD.partnerRelUuid then if NEW.partnerRelUuid <> OLD.partnerRelUuid then
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); call rbac.revokePermissionFromRole(rbac.getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel)); call rbac.revokePermissionFromRole(rbac.getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel)); call rbac.revokePermissionFromRole(rbac.getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); call rbac.revokePermissionFromRole(rbac.getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel)); call rbac.revokePermissionFromRole(rbac.getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel)); call rbac.revokePermissionFromRole(rbac.getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel)); call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
end if; end if;
@ -171,7 +171,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM rbac.global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
rbac.globalAdmin()); rbac.globalAdmin());
END LOOP; END LOOP;
@ -187,7 +187,7 @@ create or replace function new_hs_office_partner_grants_insert_to_global_tf()
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
rbac.globalAdmin()); rbac.globalAdmin());
-- end. -- end.
@ -220,7 +220,7 @@ begin
end if; end if;
raise exception '[403] insert into hs_office_partner values(%) not allowed for current subjects % (%)', raise exception '[403] insert into hs_office_partner values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger hs_office_partner_insert_permission_check_tg create trigger hs_office_partner_insert_permission_check_tg

6
src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql
View File

@ -75,7 +75,7 @@ begin
FOR row IN SELECT * FROM rbac.global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
rbac.globalAdmin()); rbac.globalAdmin());
END LOOP; END LOOP;
@ -91,7 +91,7 @@ create or replace function new_hs_office_partner_details_grants_insert_to_global
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
rbac.globalAdmin()); rbac.globalAdmin());
-- end. -- end.
@ -124,7 +124,7 @@ begin
end if; end if;
raise exception '[403] insert into hs_office_partner_details values(%) not allowed for current subjects % (%)', raise exception '[403] insert into hs_office_partner_details values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger hs_office_partner_details_insert_permission_check_tg create trigger hs_office_partner_details_insert_permission_check_tg

2
src/main/resources/db/changelog/5-hs-office/504-partner/5048-hs-office-partner-test-data.sql
View File

@ -21,7 +21,7 @@ declare
relatedPerson hs_office_person; relatedPerson hs_office_person;
relatedDetailsUuid uuid; relatedDetailsUuid uuid;
begin begin
idName := cleanIdentifier( partnerPersonName|| '-' || contactCaption); idName := base.cleanIdentifier( partnerPersonName|| '-' || contactCaption);
select p.* from hs_office_person p select p.* from hs_office_person p
where p.tradeName = mandantTradeName where p.tradeName = mandantTradeName

2
src/main/resources/db/changelog/5-hs-office/505-bankaccount/5058-hs-office-bankaccount-test-data.sql
View File

@ -13,7 +13,7 @@ create or replace procedure createHsOfficeBankAccountTestData(givenHolder varcha
declare declare
emailAddr varchar; emailAddr varchar;
begin begin
emailAddr = 'bankaccount-admin@' || cleanIdentifier(givenHolder) || '.example.com'; emailAddr = 'bankaccount-admin@' || base.cleanIdentifier(givenHolder) || '.example.com';
perform rbac.create_subject(emailAddr); perform rbac.create_subject(emailAddr);
call base.defineContext('creating bankaccount test-data', null, emailAddr); call base.defineContext('creating bankaccount test-data', null, emailAddr);

22
src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql
View File

@ -51,15 +51,15 @@ begin
SELECT * FROM hs_office_bankaccount WHERE uuid = NEW.refundBankAccountUuid INTO newRefundBankAccount; SELECT * FROM hs_office_bankaccount WHERE uuid = NEW.refundBankAccountUuid INTO newRefundBankAccount;
call grantRoleToRole(hsOfficeBankAccountREFERRER(newRefundBankAccount), hsOfficeRelationAGENT(newDebitorRel)); call rbac.grantRoleToRole(hsOfficeBankAccountREFERRER(newRefundBankAccount), hsOfficeRelationAGENT(newDebitorRel));
call grantRoleToRole(hsOfficeRelationADMIN(newDebitorRel), hsOfficeRelationADMIN(newPartnerRel)); call rbac.grantRoleToRole(hsOfficeRelationADMIN(newDebitorRel), hsOfficeRelationADMIN(newPartnerRel));
call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeBankAccountADMIN(newRefundBankAccount)); call rbac.grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeBankAccountADMIN(newRefundBankAccount));
call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel)); call rbac.grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel));
call grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel)); call rbac.grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel));
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -144,7 +144,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM rbac.global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
rbac.globalAdmin()); rbac.globalAdmin());
END LOOP; END LOOP;
@ -160,7 +160,7 @@ create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
rbac.globalAdmin()); rbac.globalAdmin());
-- end. -- end.
@ -193,7 +193,7 @@ begin
end if; end if;
raise exception '[403] insert into hs_office_debitor values(%) not allowed for current subjects % (%)', raise exception '[403] insert into hs_office_debitor values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger hs_office_debitor_insert_permission_check_tg create trigger hs_office_debitor_insert_permission_check_tg

2
src/main/resources/db/changelog/5-hs-office/506-debitor/5068-hs-office-debitor-test-data.sql
View File

@ -20,7 +20,7 @@ declare
relatedDebitorRelUuid uuid; relatedDebitorRelUuid uuid;
relatedBankAccountUuid uuid; relatedBankAccountUuid uuid;
begin begin
idName := cleanIdentifier( forPartnerPersonName|| '-' || forBillingContactCaption); idName := base.cleanIdentifier( forPartnerPersonName|| '-' || forBillingContactCaption);
select debitorRel.uuid select debitorRel.uuid
into relatedDebitorRelUuid into relatedDebitorRelUuid

8
src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql
View File

@ -119,7 +119,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM hs_office_relation FOR row IN SELECT * FROM hs_office_relation
WHERE type = 'DEBITOR' WHERE type = 'DEBITOR'
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
hsOfficeRelationADMIN(row)); hsOfficeRelationADMIN(row));
END LOOP; END LOOP;
@ -135,7 +135,7 @@ create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_
strict as $$ strict as $$
begin begin
if NEW.type = 'DEBITOR' then if NEW.type = 'DEBITOR' then
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
hsOfficeRelationADMIN(NEW)); hsOfficeRelationADMIN(NEW));
end if; end if;
@ -169,12 +169,12 @@ begin
WHERE debitor.uuid = NEW.debitorUuid WHERE debitor.uuid = NEW.debitorUuid
); );
assert superObjectUuid is not null, 'object uuid fetched depending on hs_office_sepamandate.debitorUuid must not be null, also check fetchSql in RBAC DSL'; assert superObjectUuid is not null, 'object uuid fetched depending on hs_office_sepamandate.debitorUuid must not be null, also check fetchSql in RBAC DSL';
if hasInsertPermission(superObjectUuid, 'hs_office_sepamandate') then if rbac.hasInsertPermission(superObjectUuid, 'hs_office_sepamandate') then
return NEW; return NEW;
end if; end if;
raise exception '[403] insert into hs_office_sepamandate values(%) not allowed for current subjects % (%)', raise exception '[403] insert into hs_office_sepamandate values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger hs_office_sepamandate_insert_permission_check_tg create trigger hs_office_sepamandate_insert_permission_check_tg

6
src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql
View File

@ -106,7 +106,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM rbac.global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
rbac.globalAdmin()); rbac.globalAdmin());
END LOOP; END LOOP;
@ -122,7 +122,7 @@ create or replace function new_hs_office_membership_grants_insert_to_global_tf()
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
rbac.globalAdmin()); rbac.globalAdmin());
-- end. -- end.
@ -155,7 +155,7 @@ begin
end if; end if;
raise exception '[403] insert into hs_office_membership values(%) not allowed for current subjects % (%)', raise exception '[403] insert into hs_office_membership values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger hs_office_membership_insert_permission_check_tg create trigger hs_office_membership_insert_permission_check_tg

12
src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql
View File

@ -38,8 +38,8 @@ begin
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership; SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid); assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -82,7 +82,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM hs_office_membership FOR row IN SELECT * FROM hs_office_membership
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
hsOfficeMembershipADMIN(row)); hsOfficeMembershipADMIN(row));
END LOOP; END LOOP;
@ -98,7 +98,7 @@ create or replace function new_hs_office_coopsharestransaction_grants_insert_to_
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
hsOfficeMembershipADMIN(NEW)); hsOfficeMembershipADMIN(NEW));
-- end. -- end.
@ -126,12 +126,12 @@ declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT permission via direct foreign key: NEW.membershipUuid -- check INSERT permission via direct foreign key: NEW.membershipUuid
if hasInsertPermission(NEW.membershipUuid, 'hs_office_coopsharestransaction') then if rbac.hasInsertPermission(NEW.membershipUuid, 'hs_office_coopsharestransaction') then
return NEW; return NEW;
end if; end if;
raise exception '[403] insert into hs_office_coopsharestransaction values(%) not allowed for current subjects % (%)', raise exception '[403] insert into hs_office_coopsharestransaction values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger hs_office_coopsharestransaction_insert_permission_check_tg create trigger hs_office_coopsharestransaction_insert_permission_check_tg

12
src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql
View File

@ -38,8 +38,8 @@ begin
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership; SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid); assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership)); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -82,7 +82,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM hs_office_membership FOR row IN SELECT * FROM hs_office_membership
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
hsOfficeMembershipADMIN(row)); hsOfficeMembershipADMIN(row));
END LOOP; END LOOP;
@ -98,7 +98,7 @@ create or replace function new_hs_office_coopassetstransaction_grants_insert_to_
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
hsOfficeMembershipADMIN(NEW)); hsOfficeMembershipADMIN(NEW));
-- end. -- end.
@ -126,12 +126,12 @@ declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT permission via direct foreign key: NEW.membershipUuid -- check INSERT permission via direct foreign key: NEW.membershipUuid
if hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') then if rbac.hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') then
return NEW; return NEW;
end if; end if;
raise exception '[403] insert into hs_office_coopassetstransaction values(%) not allowed for current subjects % (%)', raise exception '[403] insert into hs_office_coopassetstransaction values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger hs_office_coopassetstransaction_insert_permission_check_tg create trigger hs_office_coopassetstransaction_insert_permission_check_tg

12
src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql
View File

@ -70,7 +70,7 @@ begin
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)] outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
); );
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin()); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -113,7 +113,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM hs_office_relation FOR row IN SELECT * FROM hs_office_relation
WHERE type = 'DEBITOR' WHERE type = 'DEBITOR'
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_project'), rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_project'),
hsOfficeRelationADMIN(row)); hsOfficeRelationADMIN(row));
END LOOP; END LOOP;
@ -129,7 +129,7 @@ create or replace function new_hs_booking_project_grants_insert_to_hs_office_rel
strict as $$ strict as $$
begin begin
if NEW.type = 'DEBITOR' then if NEW.type = 'DEBITOR' then
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'),
hsOfficeRelationADMIN(NEW)); hsOfficeRelationADMIN(NEW));
end if; end if;
@ -163,12 +163,12 @@ begin
WHERE debitor.uuid = NEW.debitorUuid WHERE debitor.uuid = NEW.debitorUuid
); );
assert superObjectUuid is not null, 'object uuid fetched depending on hs_booking_project.debitorUuid must not be null, also check fetchSql in RBAC DSL'; assert superObjectUuid is not null, 'object uuid fetched depending on hs_booking_project.debitorUuid must not be null, also check fetchSql in RBAC DSL';
if hasInsertPermission(superObjectUuid, 'hs_booking_project') then if rbac.hasInsertPermission(superObjectUuid, 'hs_booking_project') then
return NEW; return NEW;
end if; end if;
raise exception '[403] insert into hs_booking_project values(%) not allowed for current subjects % (%)', raise exception '[403] insert into hs_booking_project values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger hs_booking_project_insert_permission_check_tg create trigger hs_booking_project_insert_permission_check_tg
@ -184,7 +184,7 @@ create trigger hs_booking_project_insert_permission_check_tg
call rbac.generateRbacIdentityViewFromQuery('hs_booking_project', call rbac.generateRbacIdentityViewFromQuery('hs_booking_project',
$idName$ $idName$
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingProject.caption) as idName SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || base.cleanIdentifier(bookingProject.caption) as idName
FROM hs_booking_project bookingProject FROM hs_booking_project bookingProject
JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingProject.debitorUuid JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingProject.debitorUuid
$idName$); $idName$);

18
src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql
View File

@ -69,7 +69,7 @@ begin
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin()); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -112,7 +112,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM rbac.global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
rbac.globalAdmin()); rbac.globalAdmin());
END LOOP; END LOOP;
@ -128,7 +128,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf()
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
rbac.globalAdmin()); rbac.globalAdmin());
-- end. -- end.
@ -155,7 +155,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM hs_booking_project FOR row IN SELECT * FROM hs_booking_project
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
hsBookingProjectADMIN(row)); hsBookingProjectADMIN(row));
END LOOP; END LOOP;
@ -171,7 +171,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
hsBookingProjectADMIN(NEW)); hsBookingProjectADMIN(NEW));
-- end. -- end.
@ -198,7 +198,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
hsBookingItemADMIN(NEW)); hsBookingItemADMIN(NEW));
-- end. -- end.
@ -230,16 +230,16 @@ begin
return NEW; return NEW;
end if; end if;
-- check INSERT permission via direct foreign key: NEW.projectUuid -- check INSERT permission via direct foreign key: NEW.projectUuid
if hasInsertPermission(NEW.projectUuid, 'hs_booking_item') then if rbac.hasInsertPermission(NEW.projectUuid, 'hs_booking_item') then
return NEW; return NEW;
end if; end if;
-- check INSERT permission via direct foreign key: NEW.parentItemUuid -- check INSERT permission via direct foreign key: NEW.parentItemUuid
if hasInsertPermission(NEW.parentItemUuid, 'hs_booking_item') then if rbac.hasInsertPermission(NEW.parentItemUuid, 'hs_booking_item') then
return NEW; return NEW;
end if; end if;
raise exception '[403] insert into hs_booking_item values(%) not allowed for current subjects % (%)', raise exception '[403] insert into hs_booking_item values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger hs_booking_item_insert_permission_check_tg create trigger hs_booking_item_insert_permission_check_tg

18
src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql
View File

@ -69,7 +69,7 @@ begin
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin()); call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -112,7 +112,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM rbac.global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
rbac.globalAdmin()); rbac.globalAdmin());
END LOOP; END LOOP;
@ -128,7 +128,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf()
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
rbac.globalAdmin()); rbac.globalAdmin());
-- end. -- end.
@ -155,7 +155,7 @@ do language plpgsql $$
FOR row IN SELECT * FROM hs_booking_project FOR row IN SELECT * FROM hs_booking_project
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
hsBookingProjectADMIN(row)); hsBookingProjectADMIN(row));
END LOOP; END LOOP;
@ -171,7 +171,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
hsBookingProjectADMIN(NEW)); hsBookingProjectADMIN(NEW));
-- end. -- end.
@ -198,7 +198,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_
strict as $$ strict as $$
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
hsBookingItemADMIN(NEW)); hsBookingItemADMIN(NEW));
-- end. -- end.
@ -230,16 +230,16 @@ begin
return NEW; return NEW;
end if; end if;
-- check INSERT permission via direct foreign key: NEW.projectUuid -- check INSERT permission via direct foreign key: NEW.projectUuid
if hasInsertPermission(NEW.projectUuid, 'hs_booking_item') then if rbac.hasInsertPermission(NEW.projectUuid, 'hs_booking_item') then
return NEW; return NEW;
end if; end if;
-- check INSERT permission via direct foreign key: NEW.parentItemUuid -- check INSERT permission via direct foreign key: NEW.parentItemUuid
if hasInsertPermission(NEW.parentItemUuid, 'hs_booking_item') then if rbac.hasInsertPermission(NEW.parentItemUuid, 'hs_booking_item') then
return NEW; return NEW;
end if; end if;
raise exception '[403] insert into hs_booking_item values(%) not allowed for current subjects % (%)', raise exception '[403] insert into hs_booking_item values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger hs_booking_item_insert_permission_check_tg create trigger hs_booking_item_insert_permission_check_tg