Merge pull request 'fix misleading findPermissionId naming' (#19) from fix-findPermissionId into master

Reviewed-on: #19 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net>
2024-02-22 09:27:07 +01:00 · 2024-02-22 09:27:07 +01:00 · c7003148ae
commit c7003148ae
parent 496cdf295b 36654a69d8
4 changed files with 24 additions and 9 deletions
--- a/doc/adr/2022-07-18.row-level-security-mechanism.md
+++ b/doc/adr/2022-07-18.row-level-security-mechanism.md
@ -74,7 +74,7 @@ For restricted DB-users, which are used by the backend, access to rows is filter
        FOR SELECT
        TO restricted
        USING (
-            isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid())
+            isPermissionGrantedToSubject(findEffectivePermissionId('customer', id, 'view'), currentUserUuid())
        );
    
    SET SESSION AUTHORIZATION restricted;
@ -101,7 +101,7 @@ We are bound to PostgreSQL, including integration tests and testing the RBAC sys
    CREATE OR REPLACE RULE "_RETURN" AS
        ON SELECT TO cust_view
        DO INSTEAD
-            SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid());
+            SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('customer', id, 'view'), currentUserUuid());

    SET SESSION AUTHORIZATION restricted;
    SET hsadminng.currentUser TO 'alex@example.com';
--- a/sql/rbac-tests.sql
+++ b/sql/rbac-tests.sql
@ -19,11 +19,11 @@ select *
 FROM queryAllPermissionsOfSubjectId(findRbacUser('rosa@example.com'));

 select *
-FROM queryAllRbacUsersWithPermissionsFor(findPermissionId('customer',
+FROM queryAllRbacUsersWithPermissionsFor(findEffectivePermissionId('customer',
                                                          (SELECT uuid FROM RbacObject WHERE objectTable = 'customer' LIMIT 1),
                                                          'add-package'));
 select *
-FROM queryAllRbacUsersWithPermissionsFor(findPermissionId('package',
+FROM queryAllRbacUsersWithPermissionsFor(findEffectivePermissionId('package',
                                                          (SELECT uuid FROM RbacObject WHERE objectTable = 'package' LIMIT 1),
                                                          'delete'));

@ -34,12 +34,12 @@ $$
        result bool;
    BEGIN
        userId = findRbacUser('superuser-alex@hostsharing.net');
-        result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId));
+        result = (SELECT * FROM isPermissionGrantedToSubject(findEffectivePermissionId('package', 94928, 'add-package'), userId));
        IF (result) THEN
            RAISE EXCEPTION 'expected permission NOT to be granted, but it is';
        end if;

-        result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'view'), userId));
+        result = (SELECT * FROM isPermissionGrantedToSubject(findEffectivePermissionId('package', 94928, 'view'), userId));
        IF (NOT result) THEN
            RAISE EXCEPTION 'expected permission to be granted, but it is NOT';
        end if;
--- a/sql/rbac-view-option-experiments.sql
+++ b/sql/rbac-view-option-experiments.sql
@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer
    TO restricted
    USING (
        -- id=1000
-        isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid())
+        isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'view'), currentUserUuid())
    );

 SET SESSION AUTHORIZATION restricted;
@ -35,7 +35,7 @@ SELECT * FROM customer;
 CREATE OR REPLACE RULE "_RETURN" AS
    ON SELECT TO cust_view
    DO INSTEAD
-    SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid());
+    SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'view'), currentUserUuid());
 SELECT * from cust_view LIMIT 10;

 select queryAllPermissionsOfSubjectId(findRbacUser('superuser-alex@hostsharing.net'));
--- a/src/main/resources/db/changelog/050-rbac-base.sql
+++ b/src/main/resources/db/changelog/050-rbac-base.sql
@ -438,9 +438,24 @@ create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp)
 select uuid
    from RbacPermission p
    where p.objectUuid = forObjectUuid
-      and p.op in ('*', forOp)
+      and p.op = forOp
 $$;

+create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp RbacOp)
+    returns uuid
+    returns null on null input
+    stable -- leakproof
+    language plpgsql as $$
+declare
+    permissionId uuid;
+begin
+    permissionId := findPermissionId(forObjectUuid, forOp);
+    if permissionId is null and forOp <> '*' then
+        permissionId := findPermissionId(forObjectUuid, '*');
+    end if;
+    return permissionId;
+end $$;
+
 --//

 -- ============================================================================