rename grantedByRoleUuid to userGrantsByRoleUuid

This commit is contained in:
Michael Hoennig 2024-03-23 11:38:26 +01:00
parent 6b8d677670
commit acd1bd9e51
7 changed files with 54 additions and 54 deletions

View File

@ -28,8 +28,8 @@ public class RawRbacGrantEntity implements Comparable {
@Column(name = "grantedbyroleidname", updatable = false, insertable = false) @Column(name = "grantedbyroleidname", updatable = false, insertable = false)
private String grantedByRoleIdName; private String grantedByRoleIdName;
@Column(name = "grantedbyroleuuid", updatable = false, insertable = false) @Column(name = "usergrantsbyroleuuid", updatable = false, insertable = false)
private UUID grantedByRoleUuid; private UUID userGrantsByRoleUuid;
@Column(name = "ascendantidname", updatable = false, insertable = false) @Column(name = "ascendantidname", updatable = false, insertable = false)
private String ascendantIdName; private String ascendantIdName;
@ -50,7 +50,7 @@ public class RawRbacGrantEntity implements Comparable {
// @formatter:off // @formatter:off
return "{ grant " + descendantIdName + return "{ grant " + descendantIdName +
" to " + ascendantIdName + " to " + ascendantIdName +
" by " + ( grantedByRoleUuid == null " by " + ( userGrantsByRoleUuid == null
? "system" ? "system"
: grantedByRoleIdName ) + : grantedByRoleIdName ) +
( assumed ? " and assume" : "") + ( assumed ? " and assume" : "") +

View File

@ -22,8 +22,8 @@ public class RbacGrantEntity {
@Column(name = "grantedbyroleidname", updatable = false, insertable = false) @Column(name = "grantedbyroleidname", updatable = false, insertable = false)
private String grantedByRoleIdName; private String grantedByRoleIdName;
@Column(name = "grantedbyroleuuid", updatable = false, insertable = false) @Column(name = "usergrantsbyroleuuid", updatable = false, insertable = false)
private UUID grantedByRoleUuid; private UUID userGrantsByRoleUuid;
@Column(name = "grantedroleidname", updatable = false, insertable = false) @Column(name = "grantedroleidname", updatable = false, insertable = false)
private String grantedRoleIdName; private String grantedRoleIdName;

View File

@ -8,7 +8,7 @@ components:
properties: properties:
grantedByRoleIdName: grantedByRoleIdName:
type: string type: string
grantedByRoleUuid: userGrantsByRoleUuid:
type: string type: string
format: uuid format: uuid
assumed: assumed:

View File

@ -300,7 +300,7 @@ create or replace function deleteRbacGrantsOfRbacRole()
strict as $$ strict as $$
begin begin
if TG_OP = 'DELETE' then if TG_OP = 'DELETE' then
delete from RbacGrants g where old.uuid in (g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid); delete from RbacGrants g where old.uuid in (g.userGrantsByRoleUuid, g.ascendantuuid, g.descendantuuid);
else else
raise exception 'invalid usage of TRIGGER BEFORE DELETE'; raise exception 'invalid usage of TRIGGER BEFORE DELETE';
end if; end if;
@ -519,12 +519,12 @@ create table RbacGrants
( (
uuid uuid primary key default uuid_generate_v4(), uuid uuid primary key default uuid_generate_v4(),
grantedByTriggerOf uuid references RbacObject (uuid) on delete cascade initially deferred , grantedByTriggerOf uuid references RbacObject (uuid) on delete cascade initially deferred ,
grantedByRoleUuid uuid references RbacRole (uuid), userGrantsByRoleUuid uuid references RbacRole (uuid),
ascendantUuid uuid references RbacReference (uuid), ascendantUuid uuid references RbacReference (uuid),
descendantUuid uuid references RbacReference (uuid), descendantUuid uuid references RbacReference (uuid),
assumed boolean not null default true, -- auto assumed (true) vs. needs assumeRoles (false) assumed boolean not null default true, -- auto assumed (true) vs. needs assumeRoles (false)
unique (ascendantUuid, descendantUuid), unique (ascendantUuid, descendantUuid),
constraint rbacGrant_createdBy check ( grantedByRoleUuid is null or grantedByTriggerOf is null) ); constraint rbacGrant_createdBy check ( userGrantsByRoleUuid is null or grantedByTriggerOf is null) );
create index on RbacGrants (ascendantUuid); create index on RbacGrants (ascendantUuid);
create index on RbacGrants (descendantUuid); create index on RbacGrants (descendantUuid);

View File

@ -20,52 +20,52 @@ begin
return currentSubjectsUuids[1]; return currentSubjectsUuids[1];
end; $$; end; $$;
create or replace procedure grantRoleToUserUnchecked(grantedByRoleUuid uuid, roleUuid uuid, userUuid uuid, doAssume boolean = true) create or replace procedure grantRoleToUserUnchecked(userGrantsByRoleUuid uuid, roleUuid uuid, userUuid uuid, doAssume boolean = true)
language plpgsql as $$ language plpgsql as $$
begin begin
perform assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole'); perform assertReferenceType('grantingRoleUuid', userGrantsByRoleUuid, 'RbacRole');
perform assertReferenceType('roleId (descendant)', roleUuid, 'RbacRole'); perform assertReferenceType('roleId (descendant)', roleUuid, 'RbacRole');
perform assertReferenceType('userId (ascendant)', userUuid, 'RbacUser'); perform assertReferenceType('userId (ascendant)', userUuid, 'RbacUser');
raise notice 'role % grants role % to user %, assumed=%', grantedByRoleUuid, roleUuid, userUuid, doAssume; raise notice 'role % grants role % to user %, assumed=%', userGrantsByRoleUuid, roleUuid, userUuid, doAssume;
insert insert
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) into RbacGrants (userGrantsByRoleUuid, ascendantUuid, descendantUuid, assumed)
values (grantedByRoleUuid, userUuid, roleUuid, doAssume); values (userGrantsByRoleUuid, userUuid, roleUuid, doAssume);
-- TODO.spec: What should happen on multiple grants? What if options (doAssume) are not the same? -- TODO.spec: What should happen on multiple grants? What if options (doAssume) are not the same?
-- Most powerful or latest grant wins? What about managed? -- Most powerful or latest grant wins? What about managed?
-- on conflict do nothing; -- allow granting multiple times -- on conflict do nothing; -- allow granting multiple times
end; $$; end; $$;
create or replace procedure grantRoleToUser(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid, doAssume boolean = true) create or replace procedure grantRoleToUser(userGrantsByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid, doAssume boolean = true)
language plpgsql as $$ language plpgsql as $$
declare declare
grantedByRoleIdName text; grantedByRoleIdName text;
grantedRoleIdName text; grantedRoleIdName text;
begin begin
perform assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole'); perform assertReferenceType('grantingRoleUuid', userGrantsByRoleUuid, 'RbacRole');
perform assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole'); perform assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole');
perform assertReferenceType('userUuid (ascendant)', userUuid, 'RbacUser'); perform assertReferenceType('userUuid (ascendant)', userUuid, 'RbacUser');
assert grantedByRoleUuid is not null, 'grantedByRoleUuid must not be null'; assert userGrantsByRoleUuid is not null, 'userGrantsByRoleUuid must not be null';
assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null'; assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null';
assert userUuid is not null, 'userUuid must not be null'; assert userUuid is not null, 'userUuid must not be null';
if NOT isGranted(currentSubjectsUuids(), grantedByRoleUuid) then if NOT isGranted(currentSubjectsUuids(), userGrantsByRoleUuid) then
select roleIdName from rbacRole_ev where uuid=grantedByRoleUuid into grantedByRoleIdName; select roleIdName from rbacRole_ev where uuid=userGrantsByRoleUuid into grantedByRoleIdName;
raise exception '[403] Access to granted-by-role % (%) forbidden for % (%)', raise exception '[403] Access to granted-by-role % (%) forbidden for % (%)',
grantedByRoleIdName, grantedByRoleUuid, currentSubjects(), currentSubjectsUuids(); grantedByRoleIdName, userGrantsByRoleUuid, currentSubjects(), currentSubjectsUuids();
end if; end if;
if NOT isGranted(grantedByRoleUuid, grantedRoleUuid) then if NOT isGranted(userGrantsByRoleUuid, grantedRoleUuid) then
select roleIdName from rbacRole_ev where uuid=grantedByRoleUuid into grantedByRoleIdName; select roleIdName from rbacRole_ev where uuid=userGrantsByRoleUuid into grantedByRoleIdName;
select roleIdName from rbacRole_ev where uuid=grantedRoleUuid into grantedRoleIdName; select roleIdName from rbacRole_ev where uuid=grantedRoleUuid into grantedRoleIdName;
raise exception '[403] Access to granted role % (%) forbidden for % (%)', raise exception '[403] Access to granted role % (%) forbidden for % (%)',
grantedRoleIdName, grantedRoleUuid, grantedByRoleIdName, grantedByRoleUuid; grantedRoleIdName, grantedRoleUuid, grantedByRoleIdName, userGrantsByRoleUuid;
end if; end if;
insert insert
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) into RbacGrants (userGrantsByRoleUuid, ascendantUuid, descendantUuid, assumed)
values (grantedByRoleUuid, userUuid, grantedRoleUuid, doAssume); values (userGrantsByRoleUuid, userUuid, grantedRoleUuid, doAssume);
-- TODO.spec: What should happen on mupltiple grants? What if options (doAssume) are not the same? -- TODO.spec: What should happen on mupltiple grants? What if options (doAssume) are not the same?
-- Most powerful or latest grant wins? What about managed? -- Most powerful or latest grant wins? What about managed?
-- on conflict do nothing; -- allow granting multiple times -- on conflict do nothing; -- allow granting multiple times
@ -77,40 +77,40 @@ end; $$;
--changeset rbac-user-grant-REVOKE-ROLE-FROM-USER:1 endDelimiter:--// --changeset rbac-user-grant-REVOKE-ROLE-FROM-USER:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create or replace procedure checkRevokeRoleFromUserPreconditions(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid) create or replace procedure checkRevokeRoleFromUserPreconditions(userGrantsByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid)
language plpgsql as $$ language plpgsql as $$
begin begin
perform assertReferenceType('grantedByRoleUuid', grantedByRoleUuid, 'RbacRole'); perform assertReferenceType('userGrantsByRoleUuid', userGrantsByRoleUuid, 'RbacRole');
perform assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole'); perform assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole');
perform assertReferenceType('userUuid (ascendant)', userUuid, 'RbacUser'); perform assertReferenceType('userUuid (ascendant)', userUuid, 'RbacUser');
if NOT isGranted(currentSubjectsUuids(), grantedByRoleUuid) then if NOT isGranted(currentSubjectsUuids(), userGrantsByRoleUuid) then
raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, currentSubjects(); raise exception '[403] Revoking role created by % is forbidden for %.', userGrantsByRoleUuid, currentSubjects();
end if; end if;
if NOT isGranted(grantedByRoleUuid, grantedRoleUuid) then if NOT isGranted(userGrantsByRoleUuid, grantedRoleUuid) then
raise exception '[403] Revoking role % is forbidden for %.', grantedRoleUuid, currentSubjects(); raise exception '[403] Revoking role % is forbidden for %.', grantedRoleUuid, currentSubjects();
end if; end if;
--raise exception 'isGranted(%, %)', currentSubjectsUuids(), grantedByRoleUuid; --raise exception 'isGranted(%, %)', currentSubjectsUuids(), userGrantsByRoleUuid;
if NOT isGranted(currentSubjectsUuids(), grantedByRoleUuid) then if NOT isGranted(currentSubjectsUuids(), userGrantsByRoleUuid) then
raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, currentSubjects(); raise exception '[403] Revoking role granted by % is forbidden for %.', userGrantsByRoleUuid, currentSubjects();
end if; end if;
if NOT isGranted(userUuid, grantedRoleUuid) then if NOT isGranted(userUuid, grantedRoleUuid) then
raise exception '[404] No such grant found granted by % for user % to role %.', grantedByRoleUuid, userUuid, grantedRoleUuid; raise exception '[404] No such grant found granted by % for user % to role %.', userGrantsByRoleUuid, userUuid, grantedRoleUuid;
end if; end if;
end; $$; end; $$;
create or replace procedure revokeRoleFromUser(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid) create or replace procedure revokeRoleFromUser(userGrantsByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid)
language plpgsql as $$ language plpgsql as $$
begin begin
call checkRevokeRoleFromUserPreconditions(grantedByRoleUuid, grantedRoleUuid, userUuid); call checkRevokeRoleFromUserPreconditions(userGrantsByRoleUuid, grantedRoleUuid, userUuid);
raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', userUuid, grantedRoleUuid; raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', userUuid, grantedRoleUuid;
delete from RbacGrants as g delete from RbacGrants as g
where g.ascendantUuid = userUuid and g.descendantUuid = grantedRoleUuid where g.ascendantUuid = userUuid and g.descendantUuid = grantedRoleUuid
and g.grantedByRoleUuid = revokeRoleFromUser.grantedByRoleUuid; and g.userGrantsByRoleUuid = revokeRoleFromUser.userGrantsByRoleUuid;
end; $$; end; $$;
--// --//

View File

@ -60,14 +60,14 @@ create or replace view rbacgrants_ev as
go.objectTable || '#' || findIdNameByObjectUuid(go.objectTable, go.uuid) || '.' || r.roletype as grantedByRoleIdName, go.objectTable || '#' || findIdNameByObjectUuid(go.objectTable, go.uuid) || '.' || r.roletype as grantedByRoleIdName,
x.ascendingIdName as ascendantIdName, x.ascendingIdName as ascendantIdName,
x.descendingIdName as descendantIdName, x.descendingIdName as descendantIdName,
x.grantedByRoleUuid, x.userGrantsByRoleUuid,
x.ascendantUuid as ascendantUuid, x.ascendantUuid as ascendantUuid,
x.descendantUuid as descendantUuid, x.descendantUuid as descendantUuid,
x.assumed x.assumed
from ( from (
select g.uuid as grantUuid, select g.uuid as grantUuid,
g.grantedbytriggerof as grantedbytriggerof, g.grantedbytriggerof as grantedbytriggerof,
g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed, g.userGrantsByRoleUuid, g.ascendantuuid, g.descendantuuid, g.assumed,
coalesce( coalesce(
'user ' || au.name, 'user ' || au.name,
@ -91,7 +91,7 @@ create or replace view rbacgrants_ev as
left outer join rbacpermission dp on dp.uuid = g.descendantUuid left outer join rbacpermission dp on dp.uuid = g.descendantUuid
left outer join rbacobject as dpo on dpo.uuid = dp.objectUuid left outer join rbacobject as dpo on dpo.uuid = dp.objectUuid
) as x ) as x
left outer join rbacrole as r on r.uuid = grantedByRoleUuid left outer join rbacrole as r on r.uuid = userGrantsByRoleUuid
left outer join rbacuser u on u.uuid = x.ascendantuuid left outer join rbacuser u on u.uuid = x.ascendantuuid
left outer join rbacobject go on go.uuid = r.objectuuid left outer join rbacobject go on go.uuid = r.objectuuid
@ -112,10 +112,10 @@ create or replace view rbacgrants_rv as
-- @formatter:off -- @formatter:off
select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || '.' || r.roletype as grantedByRoleIdName, select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || '.' || r.roletype as grantedByRoleIdName,
g.objectTable || '#' || g.objectIdName || '.' || g.roletype as grantedRoleIdName, g.userName, g.assumed, g.objectTable || '#' || g.objectIdName || '.' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as userUuid, g.userGrantsByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as userUuid,
g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType
from ( from (
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed, select g.userGrantsByRoleUuid, g.ascendantuuid, g.descendantuuid, g.assumed,
u.name as userName, o.objecttable, r.objectuuid, r.roletype, u.name as userName, o.objecttable, r.objectuuid, r.roletype,
findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
from rbacgrants as g from rbacgrants as g
@ -124,7 +124,7 @@ select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) ||
left outer join rbacuser u on u.uuid = g.ascendantuuid left outer join rbacuser u on u.uuid = g.ascendantuuid
where isGranted(currentSubjectsUuids(), r.uuid) where isGranted(currentSubjectsUuids(), r.uuid)
) as g ) as g
join RbacRole as r on r.uuid = grantedByRoleUuid join RbacRole as r on r.uuid = userGrantsByRoleUuid
join RbacObject as o on o.uuid = r.objectUuid join RbacObject as o on o.uuid = r.objectUuid
order by grantedRoleIdName; order by grantedRoleIdName;
-- @formatter:on -- @formatter:on
@ -177,7 +177,7 @@ create or replace function deleteRbacGrant()
returns trigger returns trigger
language plpgsql as $$ language plpgsql as $$
begin begin
call revokeRoleFromUser(old.grantedByRoleUuid, old.grantedRoleUuid, old.userUuid); call revokeRoleFromUser(old.userGrantsByRoleUuid, old.grantedRoleUuid, old.userUuid);
return old; return old;
end; $$; end; $$;

View File

@ -37,7 +37,7 @@ declare
subRoleUuid uuid; subRoleUuid uuid;
superRoleUuid uuid; superRoleUuid uuid;
userUuid uuid; userUuid uuid;
grantedByRoleUuid uuid; -- FIXME: rename to userGrantsByRoleUuid userGrantsByRoleUuid uuid;
begin begin
roleUuid := createRole(roleDescriptor); roleUuid := createRole(roleDescriptor);
@ -60,13 +60,13 @@ begin
if cardinality(userUuids) > 0 then if cardinality(userUuids) > 0 then
-- direct grants to users need a grantedByRole which can revoke the grant -- direct grants to users need a grantedByRole which can revoke the grant
if grantedByRole is null then if grantedByRole is null then
grantedByRoleUuid := roleUuid; -- FIXME: or do we want to require an explicit grantedByRoleUuid? userGrantsByRoleUuid := roleUuid; -- FIXME: or do we want to require an explicit userGrantsByRoleUuid?
else else
grantedByRoleUuid := getRoleId(grantedByRole); userGrantsByRoleUuid := getRoleId(grantedByRole);
end if; end if;
foreach userUuid in array userUuids foreach userUuid in array userUuids
loop loop
call grantRoleToUserUnchecked(grantedByRoleUuid, roleUuid, userUuid); call grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, userUuid);
end loop; end loop;
end if; end if;