From bcef4e794dcf1cc25e91b214757165ef2fc788a5 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Fri, 13 Sep 2024 20:33:32 +0200 Subject: [PATCH] rbac.permission --- .../rbacgrant/RbacGrantsDiagramService.java | 2 +- .../db/changelog/1-rbac/1050-rbac-base.sql | 40 +++++++++---------- .../db/changelog/1-rbac/1055-rbac-views.sql | 4 +- .../changelog/1-rbac/1058-rbac-generators.sql | 2 +- .../changelog/1-rbac/1059-rbac-statistics.sql | 2 +- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramService.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramService.java index a76de163..d95cd252 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramService.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramService.java @@ -94,7 +94,7 @@ public class RbacGrantsDiagramService { } public String allGrantsFrom(final UUID targetObject, final String op, final EnumSet includes) { - final var refUuid = (UUID) em.createNativeQuery("SELECT uuid FROM rbacpermission WHERE objectuuid=:targetObject AND op=:op") + final var refUuid = (UUID) em.createNativeQuery("SELECT uuid FROM rbac.permission WHERE objectuuid=:targetObject AND op=:op") .setParameter("targetObject", targetObject) .setParameter("op", op) .getSingleResult(); diff --git a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql index 41ac20b3..6ddd9d8e 100644 --- a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql +++ b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql @@ -6,7 +6,7 @@ /* */ -create type rbac.referenceType as enum ('rbac.subject', 'RbacRole', 'RbacPermission'); +create type rbac.referenceType as enum ('rbac.subject', 'RbacRole', 'rbac.permission'); create table rbac.reference ( @@ -331,7 +331,7 @@ create or replace function deleteRbacRolesOfRbacObject() strict as $$ begin if TG_OP = 'DELETE' then - delete from RbacPermission p where p.objectuuid = old.uuid; + delete from rbac.permission p where p.objectuuid = old.uuid; delete from RbacRole r where r.objectUuid = old.uuid; else raise exception 'invalid usage of TRIGGER BEFORE DELETE'; @@ -365,7 +365,7 @@ create domain RbacOp as varchar(6) or VALUE = 'ASSUME' ); -create table RbacPermission +create table rbac.permission ( uuid uuid primary key references rbac.reference (uuid) on delete cascade, objectUuid uuid not null references rbac.object, @@ -373,13 +373,13 @@ create table RbacPermission opTableName varchar(60) ); -- TODO.perf: check if these indexes are really useful -create index on RbacPermission (objectUuid, op); -create index on RbacPermission (opTableName, op); +create index on rbac.permission (objectUuid, op); +create index on rbac.permission (opTableName, op); -ALTER TABLE RbacPermission +ALTER TABLE rbac.permission ADD CONSTRAINT RbacPermission_uc UNIQUE NULLS NOT DISTINCT (objectUuid, op, opTableName); -call base.create_journal('RbacPermission'); +call base.create_journal('rbac.permission'); create or replace function createPermission(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null) returns uuid @@ -398,19 +398,19 @@ begin end if; permissionUuid := ( - select uuid from RbacPermission + select uuid from rbac.permission where objectUuid = forObjectUuid and op = forOp and opTableName is not distinct from forOpTableName); if (permissionUuid is null) then insert into rbac.reference ("type") - values ('RbacPermission') + values ('rbac.permission') returning uuid into permissionUuid; begin - insert into RbacPermission (uuid, objectUuid, op, opTableName) + insert into rbac.permission (uuid, objectUuid, op, opTableName) values (permissionUuid, forObjectUuid, forOp, forOpTableName); exception when others then - raise exception 'insert into RbacPermission (uuid, objectUuid, op, opTableName) + raise exception 'insert into rbac.permission (uuid, objectUuid, op, opTableName) values (%, %, %, %);', permissionUuid, forObjectUuid, forOp, forOpTableName; end; end if; @@ -423,7 +423,7 @@ create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp R stable -- leakproof language sql as $$ select uuid - from RbacPermission p + from rbac.permission p where p.objectUuid = forObjectUuid and (forOp = 'SELECT' or p.op = forOp) -- all other RbacOp include 'SELECT' and p.opTableName = forOpTableName @@ -435,7 +435,7 @@ create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp, fo stable -- leakproof language sql as $$ select uuid - from RbacPermission p + from rbac.permission p where p.objectUuid = forObjectUuid and p.op = forOp and p.opTableName = forOpTableName @@ -449,7 +449,7 @@ declare permissionUuid uuid; begin select uuid into permissionUuid - from RbacPermission p + from rbac.permission p where p.objectUuid = forObjectUuid and p.op = forOp and forOpTableName is null or p.opTableName = forOpTableName; @@ -592,7 +592,7 @@ create or replace procedure grantPermissionToRole(permissionUuid uuid, roleUuid language plpgsql as $$ begin perform rbac.assertReferenceType('roleId (ascendant)', roleUuid, 'RbacRole'); - perform rbac.assertReferenceType('permissionId (descendant)', permissionUuid, 'RbacPermission'); + perform rbac.assertReferenceType('permissionId (descendant)', permissionUuid, 'rbac.permission'); insert into rbac.grants (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed) @@ -683,14 +683,14 @@ begin superRoleId := findRoleId(superRole); perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'RbacRole'); - perform rbac.assertReferenceType('permission (descendant)', permissionId, 'RbacPermission'); + perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission'); if (isGranted(superRoleId, permissionId)) then delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = permissionId; else select p.op, o.objectTable, o.uuid from rbac.grants g - join rbacPermission p on p.uuid=g.descendantUuid + join rbac.permission p on p.uuid=g.descendantUuid join rbac.object o on o.uuid=p.objectUuid where g.uuid=permissionId into permissionOp, objectTable, objectUuid; @@ -735,7 +735,7 @@ begin ) SELECT DISTINCT perm.objectUuid FROM granted - JOIN RbacPermission perm ON granted.descendantUuid = perm.uuid + JOIN rbac.permission perm ON granted.descendantUuid = perm.uuid JOIN rbac.object obj ON obj.uuid = perm.objectUuid WHERE (requiredOp = 'SELECT' OR perm.op = requiredOp) AND obj.objectTable = forObjectTable @@ -759,7 +759,7 @@ $$; Returns all permissions accessible to the given subject UUID (subject or role). */ create or replace function queryPermissionsGrantedToSubjectId(subjectId uuid) - returns setof RbacPermission + returns setof rbac.permission strict language sql as $$ with recursive grants as ( @@ -772,7 +772,7 @@ with recursive grants as ( inner join grants on grants.descendantUuid = g.ascendantUuid ) select perm.* - from RbacPermission perm + from rbac.permission perm where perm.uuid in ( select descendantUuid from grants diff --git a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql index d549bb42..94e1616c 100644 --- a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql +++ b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql @@ -93,7 +93,7 @@ create or replace view rbacgrants_ev as left outer join rbacrole as dr on dr.uuid = g.descendantUuid left outer join rbac.object as dro on dro.uuid = dr.objectuuid - left outer join rbacpermission dp on dp.uuid = g.descendantUuid + left outer join rbac.permission dp on dp.uuid = g.descendantUuid left outer join rbac.object as dpo on dpo.uuid = dp.objectUuid ) as x left outer join rbacrole as r on r.uuid = grantedByRoleUuid @@ -331,7 +331,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid, o.objecttable, r.objectidname, o.uuid as objectuuid from rbacrole_rv r join rbac.grants g on g.ascendantuuid = r.uuid - join rbacpermission p on p.uuid = g.descendantuuid + join rbac.permission p on p.uuid = g.descendantuuid join rbac.object o on o.uuid = p.objectuuid; grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; -- @formatter:om diff --git a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql index e0dcf75e..05941d1b 100644 --- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql +++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql @@ -202,7 +202,7 @@ begin as valid) select distinct perm.objectuuid from recursive_grants - join rbacpermission perm on recursive_grants.descendantuuid = perm.uuid + join rbac.permission perm on recursive_grants.descendantuuid = perm.uuid join rbac.object obj on obj.uuid = perm.objectuuid join count_check cc on cc.valid where obj.objectTable = '%1$s' -- 'SELECT' permission is included in all other permissions diff --git a/src/main/resources/db/changelog/1-rbac/1059-rbac-statistics.sql b/src/main/resources/db/changelog/1-rbac/1059-rbac-statistics.sql index e503ae01..7367e1f0 100644 --- a/src/main/resources/db/changelog/1-rbac/1059-rbac-statistics.sql +++ b/src/main/resources/db/changelog/1-rbac/1059-rbac-statistics.sql @@ -14,7 +14,7 @@ select no, to_char("count", '9 999 999 999') as "count", "table" from RbacRole union select 3 as no, count(*) as "count", 'permissions' as "table" - from RbacPermission + from rbac.permission union select 4 as no, count(*) as "count", 'references' as "table" from rbac.reference