introduce 058-rbac-generators.sql with generateRelatedRbacObject+generateRbacRoleDescriptors

This commit is contained in:
Michael Hoennig 2022-09-16 15:25:58 +02:00
parent 1dd63161ab
commit d63e3f31e9
10 changed files with 88 additions and 203 deletions

View File

@ -13,6 +13,7 @@ gradleWrapper () {
}
alias podman-start='systemctl --user enable --now podman.socket && systemctl --user status podman.socket && ls -la /run/user/$UID/podman/podman.sock'
alias podman-stop='systemctl --user disable --now podman.socket && systemctl --user status podman.socket && ls -la /run/user/$UID/podman/podman.sock'
alias podman-use='export DOCKER_HOST="unix:///run/user/$UID/podman/podman.sock"; export TESTCONTAINERS_RYUK_DISABLED=true'
alias gw=gradleWrapper

View File

@ -174,33 +174,6 @@ begin
return old;
end; $$;
create or replace procedure generateRelatedRbacObject(targetTable varchar)
language plpgsql as $$
declare
createInsertTriggerSQL text;
createDeleteTriggerSQL text;
begin
createInsertTriggerSQL = format($sql$
create trigger createRbacObjectFor_%s_Trigger
before insert
on %s
for each row
execute procedure insertRelatedRbacObject();
$sql$, targetTable, targetTable);
execute createInsertTriggerSQL;
createDeleteTriggerSQL = format($sql$
create trigger deleteRbacRulesFor_%s_Trigger
before delete
on %s
for each row
execute procedure deleteRelatedRbacObject();
$sql$, targetTable, targetTable);
execute createDeleteTriggerSQL;
end; $$;
--//
-- ============================================================================
--changeset rbac-base-ROLE:1 endDelimiter:--//

View File

@ -0,0 +1,72 @@
--liquibase formatted sql
-- ============================================================================
--changeset rbac-generators-RELATED-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace procedure generateRelatedRbacObject(targetTable varchar)
language plpgsql as $$
declare
createInsertTriggerSQL text;
createDeleteTriggerSQL text;
begin
createInsertTriggerSQL = format($sql$
create trigger createRbacObjectFor_%s_Trigger
before insert
on %s
for each row
execute procedure insertRelatedRbacObject();
$sql$, targetTable, targetTable);
execute createInsertTriggerSQL;
createDeleteTriggerSQL = format($sql$
create trigger deleteRbacRulesFor_%s_Trigger
before delete
on %s
for each row
execute procedure deleteRelatedRbacObject();
$sql$, targetTable, targetTable);
execute createDeleteTriggerSQL;
end; $$;
--//
-- ============================================================================
--changeset rbac-generators-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace procedure generateRbacRoleDescriptors(prefix text, targetTable text)
language plpgsql as $$
declare
sql text;
begin
sql = format($sql$
create or replace function %1$sOwner(entity %2$s)
returns RbacRoleDescriptor
language plpgsql
strict as $f$
begin
return roleDescriptor('%2$s', entity.uuid, 'owner');
end; $f$;
create or replace function %1$sAdmin(entity %2$s)
returns RbacRoleDescriptor
language plpgsql
strict as $f$
begin
return roleDescriptor('%2$s', entity.uuid, 'admin');
end; $f$;
create or replace function %1$sTenant(entity %2$s)
returns RbacRoleDescriptor
language plpgsql
strict as $f$
begin
return roleDescriptor('%2$s', entity.uuid, 'tenant');
end; $f$;
$sql$, prefix, targetTable);
execute sql;
end; $$;
--//

View File

@ -1,47 +1,16 @@
--liquibase formatted sql
-- ============================================================================
--changeset test-customer-rbac-CREATE-OBJECT:1 endDelimiter:--//
--changeset test-customer-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
*/
drop trigger if exists createRbacObjectForCustomer_Trigger on test_customer;
create trigger createRbacObjectForCustomer_Trigger
before insert
on test_customer
for each row
execute procedure insertRelatedRbacObject();
call generateRelatedRbacObject('test_customer');
--//
-- ============================================================================
--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function testCustomerOwner(customer test_customer)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('test_customer', customer.uuid, 'owner');
end; $$;
create or replace function testCustomerAdmin(customer test_customer)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('test_customer', customer.uuid, 'admin');
end; $$;
create or replace function testCustomerTenant(customer test_customer)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('test_customer', customer.uuid, 'tenant');
end; $$;
call generateRbacRoleDescriptors('testCustomer', 'test_customer');
--//

View File

@ -1,47 +1,16 @@
--liquibase formatted sql
-- ============================================================================
--changeset test-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
--changeset test-package-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
*/
drop trigger if exists createRbacObjectForPackage_Trigger on test_package;
create trigger createRbacObjectForPackage_Trigger
before insert
on test_package
for each row
execute procedure insertRelatedRbacObject();
call generateRelatedRbacObject('test_package');
--//
-- ============================================================================
--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function testPackageOwner(pac test_package)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('test_package', pac.uuid, 'owner');
end; $$;
create or replace function testPackageAdmin(pac test_package)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('test_package', pac.uuid, 'admin');
end; $$;
create or replace function testPackageTenant(pac test_package)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('test_package', pac.uuid, 'tenant');
end; $$;
call generateRbacRoleDescriptors('testPackage', 'test_package');
--//

View File

@ -1,47 +1,16 @@
--liquibase formatted sql
-- ============================================================================
--changeset test-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
--changeset test-domain-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
*/
drop trigger if exists createRbacObjectFortest_domain_Trigger on test_domain;
create trigger createRbacObjectFortest_domain_Trigger
before insert
on test_domain
for each row
execute procedure insertRelatedRbacObject();
call generateRelatedRbacObject('test_domain');
--//
-- ============================================================================
--changeset test-domain-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function testdomainOwner(uu test_domain)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('test_domain', uu.uuid, 'owner');
end; $$;
create or replace function testdomainAdmin(uu test_domain)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('test_domain', uu.uuid, 'admin');
end; $$;
create or replace function testdomainTenant(uu test_domain)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('test_domain', uu.uuid, 'tenant');
end; $$;
call generateRbacRoleDescriptors('testDomain', 'test_domain');
create or replace function createTestDomainTenantRoleIfNotExists(domain test_domain)
returns uuid

View File

@ -10,30 +10,7 @@ call generateRelatedRbacObject('hs_office_contact');
-- ============================================================================
--changeset hs-office-contact-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function hsOfficeContactOwner(contact hs_office_contact)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('hs_office_contact', contact.uuid, 'owner');
end; $$;
create or replace function hsOfficeContactAdmin(contact hs_office_contact)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('hs_office_contact', contact.uuid, 'admin');
end; $$;
create or replace function hsOfficeContactTenant(contact hs_office_contact)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('hs_office_contact', contact.uuid, 'tenant');
end; $$;
call generateRbacRoleDescriptors('hsOfficeContact', 'hs_office_contact');
--//

View File

@ -1,6 +1,5 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-office-person-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
@ -11,30 +10,7 @@ call generateRelatedRbacObject('hs_office_person');
-- ============================================================================
--changeset hs-office-person-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function hsOfficePersonOwner(person hs_office_person)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('hs_office_person', person.uuid, 'owner');
end; $$;
create or replace function hsOfficePersonAdmin(person hs_office_person)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('hs_office_person', person.uuid, 'admin');
end; $$;
create or replace function hsOfficePersonTenant(person hs_office_person)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('hs_office_person', person.uuid, 'tenant');
end; $$;
call generateRbacRoleDescriptors('hsOfficePerson', 'hs_office_person');
--//

View File

@ -10,30 +10,7 @@ call generateRelatedRbacObject('hs_office_partner');
-- ============================================================================
--changeset hs-office-partner-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function hsOfficePartnerOwner(partner hs_office_partner)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('hs_office_partner', partner.uuid, 'owner');
end; $$;
create or replace function hsOfficePartnerAdmin(partner hs_office_partner)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('hs_office_partner', partner.uuid, 'admin');
end; $$;
create or replace function hsOfficePartnerTenant(partner hs_office_partner)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('hs_office_partner', partner.uuid, 'tenant');
end; $$;
call generateRbacRoleDescriptors('hsOfficePartner', 'hs_office_partner');
--//

View File

@ -23,6 +23,8 @@ databaseChangeLog:
file: db/changelog/055-rbac-views.sql
- include:
file: db/changelog/057-rbac-role-builder.sql
- include:
file: db/changelog/058-rbac-generators.sql
- include:
file: db/changelog/059-rbac-statistics.sql
- include: