Liquibase-Scripts and database migration possible with explicit (non-superuser) DB-User

2024-01-11 18:05:46 +01:00 · 2024-01-11 18:05:46 +01:00 · db7c101691
commit db7c101691
parent 70621fd482
11 changed files with 60 additions and 38 deletions
--- a/src/main/resources/db/changelog/010-context.sql
+++ b/src/main/resources/db/changelog/010-context.sql
@ -55,7 +55,7 @@ end; $$;
 */
 create or replace function currentTask()
    returns varchar(96)
-    stable leakproof
+    stable -- leakproof
    language plpgsql as $$
 declare
    currentTask varchar(96);
@ -83,7 +83,7 @@ end; $$;
 */
 create or replace function currentRequest()
    returns varchar(512)
-    stable leakproof
+    stable -- leakproof
    language plpgsql as $$
 declare
    currentRequest varchar(512);
@ -107,7 +107,7 @@ end; $$;
 */
 create or replace function currentUser()
    returns varchar(63)
-    stable leakproof
+    stable -- leakproof
    language plpgsql as $$
 declare
    currentUser varchar(63);
@ -131,7 +131,7 @@ end; $$;
 */
 create or replace function assumedRoles()
    returns varchar(63)[]
-    stable leakproof
+    stable -- leakproof
    language plpgsql as $$
 declare
    currentSubject varchar(63);
@ -214,7 +214,7 @@ end ; $$;

 create or replace function currentSubjects()
    returns varchar(63)[]
-    stable leakproof
+    stable -- leakproof
    language plpgsql as $$
 declare
    assumedRoles varchar(63)[];
@ -229,7 +229,7 @@ end; $$;

 create or replace function hasAssumedRole()
    returns boolean
-    stable leakproof
+    stable -- leakproof
    language plpgsql as $$
 begin
    return array_length(assumedRoles(), 1) > 0;
--- a/src/main/resources/db/changelog/050-rbac-base.sql
+++ b/src/main/resources/db/changelog/050-rbac-base.sql
@ -208,7 +208,7 @@ create type RbacRoleDescriptor as
 create or replace function roleDescriptor(objectTable varchar(63), objectUuid uuid, roleType RbacRoleType)
    returns RbacRoleDescriptor
    returns null on null input
-    stable leakproof
+    stable -- leakproof
    language sql as $$
 select objectTable, objectUuid, roleType::RbacRoleType;
 $$;
@ -432,7 +432,7 @@ $$;
 create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp)
    returns uuid
    returns null on null input
-    stable leakproof
+    stable -- leakproof
    language sql as $$
 select uuid
    from RbacPermission p
@ -515,7 +515,7 @@ end; $$;

 create or replace function isPermissionGrantedToSubject(permissionId uuid, subjectId uuid)
    returns BOOL
-    stable leakproof
+    stable -- leakproof
    language sql as $$
 select exists(
           select *
@ -537,7 +537,7 @@ $$;

 create or replace function hasGlobalRoleGranted(userUuid uuid)
    returns bool
-    stable leakproof
+    stable -- leakproof
    language sql as $$
 select exists(
           select r.uuid
@ -758,13 +758,18 @@ $$;


 -- ============================================================================
--changeset rbac-base-PGSQL-ROLES:1 endDelimiter:--//
+--changeset rbac-base-PGSQL-ROLES:1 context:dev,tc endDelimiter:--//
 -- ----------------------------------------------------------------------------

-create role admin;
-grant all privileges on all tables in schema public to admin;
-
-create role restricted;
-grant all privileges on all tables in schema public to restricted;
+do $$
+    begin
+        if '${ADMIN_USER}'='admin' then
+            create role admin;
+            grant all privileges on all tables in schema public to admin;

+            create role restricted;
+            grant all privileges on all tables in schema public to restricted;
+        end if;
+    end $$
 --//
+
--- a/src/main/resources/db/changelog/051-rbac-user-grant.sql
+++ b/src/main/resources/db/changelog/051-rbac-user-grant.sql
@ -6,7 +6,7 @@

 create or replace function assumedRoleUuid()
    returns uuid
-    stable leakproof
+    stable -- leakproof
    language plpgsql as $$
 declare
    currentSubjectsUuids uuid[];
--- a/src/main/resources/db/changelog/054-rbac-context.sql
+++ b/src/main/resources/db/changelog/054-rbac-context.sql
@ -7,7 +7,7 @@

 create or replace function determineCurrentUserUuid(currentUser varchar)
    returns uuid
-    stable leakproof
+    stable -- leakproof
    language plpgsql as $$
 declare
    currentUserUuid uuid;
@ -25,7 +25,7 @@ end; $$;

 create or replace function determineCurrentSubjectsUuids(currentUserUuid uuid, assumedRoles varchar)
    returns uuid[]
-    stable leakproof
+    stable -- leakproof
    language plpgsql as $$
 declare
    roleName            text;
@ -116,7 +116,7 @@ end; $$;

 create or replace function currentUserUuid()
    returns uuid
-    stable leakproof
+    stable -- leakproof
    language plpgsql as $$
 declare
    currentUserUuid text;
@ -150,7 +150,7 @@ end; $$;
 */
 create or replace function currentSubjectsUuids()
    returns uuid[]
-    stable leakproof
+    stable -- leakproof
    language plpgsql as $$
 declare
    currentSubjectsUuids text;
--- a/src/main/resources/db/changelog/055-rbac-views.sql
+++ b/src/main/resources/db/changelog/055-rbac-views.sql
@ -41,7 +41,7 @@ select *
        ) as unordered
        -- @formatter:on
        order by objectTable || '#' || objectIdName || '.' || roleType;
-grant all privileges on rbacrole_rv to restricted;
+grant all privileges on rbacrole_rv to ${RESTRICTED_USER};
 --//


@ -126,7 +126,7 @@ select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) ||
             join RbacObject as o on o.uuid = r.objectUuid
    order by grantedRoleIdName;
 -- @formatter:on
-grant all privileges on rbacrole_rv to restricted;
+grant all privileges on rbacrole_rv to ${RESTRICTED_USER};
 --//


@ -240,7 +240,7 @@ create or replace view RbacUser_rv as
        ) as unordered
        -- @formatter:on
        order by unordered.name;
-grant all privileges on RbacUser_rv to restricted;
+grant all privileges on RbacUser_rv to ${RESTRICTED_USER};
 --//

 -- ============================================================================
@ -326,7 +326,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid,
    join rbacgrants g on g.ascendantuuid = r.uuid
    join rbacpermission p on p.uuid = g.descendantuuid
    join rbacobject o on o.uuid = p.objectuuid;
-grant all privileges on RbacOwnGrantedPermissions_rv to restricted;
+grant all privileges on RbacOwnGrantedPermissions_rv to ${RESTRICTED_USER};
 -- @formatter:om

 -- ============================================================================
--- a/src/main/resources/db/changelog/058-rbac-generators.sql
+++ b/src/main/resources/db/changelog/058-rbac-generators.sql
@ -104,7 +104,7 @@ begin
            create or replace view %1$s_iv as
            select target.uuid, cleanIdentifier(%2$s) as idName
                from %1$s as target;
-            grant all privileges on %1$s_iv to restricted;
+            grant all privileges on %1$s_iv to ${RESTRICTED_USER};
        $sql$, targetTable, idNameExpression);
    execute sql;

@ -157,7 +157,7 @@ begin
                from %1$s as target
                where target.uuid in (select * from accessibleObjects)
                order by %2$s;
-            grant all privileges on %1$s_rv to restricted;
+            grant all privileges on %1$s_rv to ${RESTRICTED_USER};
        $sql$, targetTable, orderBy);
    execute sql;

--- a/src/main/resources/db/changelog/080-rbac-global.sql
+++ b/src/main/resources/db/changelog/080-rbac-global.sql
@ -18,7 +18,7 @@ create table Global
 );
 create unique index Global_Singleton on Global ((0));

-grant select on global to restricted;
+grant select on global to ${RESTRICTED_USER};
 --//


@ -48,7 +48,7 @@ drop view if exists global_iv;
 create or replace view global_iv as
 select target.uuid, target.name as idName
    from global as target;
-grant all privileges on global_iv to restricted;
+grant all privileges on global_iv to ${RESTRICTED_USER};

 /*
    Returns the objectUuid for a given identifying name (in this case the idName).
@ -99,7 +99,7 @@ commit;
 create or replace function globalAdmin()
    returns RbacRoleDescriptor
    returns null on null input
-    stable leakproof
+    stable -- leakproof
    language sql as $$
 select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
 $$;
--- a/src/main/resources/db/changelog/123-test-package-rbac.sql
+++ b/src/main/resources/db/changelog/123-test-package-rbac.sql
@ -93,7 +93,7 @@ call generateRbacIdentityView('test_package', 'target.name');
 --     from test_package as target
 --     where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
 --     order by target.name;
-- grant all privileges on test_package_rv to restricted;
+-- grant all privileges on test_package_rv to ${RESTRICTED_USER};

 call generateRbacRestrictedView('test_package', 'target.name',
    $updates$
--- a/src/main/resources/db/changelog/133-test-domain-rbac.sql
+++ b/src/main/resources/db/changelog/133-test-domain-rbac.sql
@ -110,5 +110,5 @@ create or replace view test_domain_rv as
 select target.*
    from test_domain as target
    where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids()));
-grant all privileges on test_domain_rv to restricted;
+grant all privileges on test_domain_rv to ${RESTRICTED_USER};
 --//
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeTables.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeTables.java
@ -54,10 +54,27 @@ import static org.assertj.core.api.Assertions.assertThat;
 * There is some test data in Java resources to verify the data conversion.
 * For a real import a main method will be added later
 * which reads CSV files from the file system.
+ *
+ * When run on a Hostsharing database, it needs the following settings (hsh99_... just examples):
+ *
+ * CREATE USER hsh99_admin WITH PASSWORD 'password';
+ * GRANT ALL ON SCHEMA public TO hsh99_admin;
+ *
+ * CREATE USER hsh99_restricted WITH PASSWORD 'password';
+ * GRANT ALL PRIVILEGES ON ALL TALBES IN SCHEMA hsh99_hsadminng to hsh99_restricted
+ *
+ * CREATE EXTENSION "uuid-ossp";
+ *
+ * And the environment variables  ADMIN_USER and RESTRICTED_USER have to be set to the actual users.
+ * TODO: password
 */
-
-@Disabled
-@DataJpaTest(properties = "spring.datasource.url=jdbc:postgresql://localhost:5432/postgres")
+// @Disabled
+@DataJpaTest(properties = {
+        "spring.profiles.active=migration",
+        "spring.datasource.url=jdbc:postgresql://localhost:5432/postgres",
+        "spring.datasource.username=hsh99_admin",
+        "spring.datasource.password=password"
+})
@Import({ Context.class, JpaAttempt.class })
@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
 public class ImportOfficeTables extends ContextBasedTest {
--- a/src/test/java/net/hostsharing/hsadminng/mapper/PostgresArrayIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/mapper/PostgresArrayIntegrationTest.java
@ -22,7 +22,7 @@ class PostgresArrayIntegrationTest {
        em.createNativeQuery("""            
            create or replace function returnEmptyArray()
                returns text[]
-                stable leakproof
+                stable -- leakproof
                language plpgsql as $$
            declare
                emptyArray text[] = '{}';
@ -42,7 +42,7 @@ class PostgresArrayIntegrationTest {
        em.createNativeQuery("""            
            create or replace function returnStringArray()
                returns varchar(63)[]
-                stable leakproof
+                stable -- leakproof
                language plpgsql as $$
            declare
                text1 text = 'one';
@ -65,7 +65,7 @@ class PostgresArrayIntegrationTest {
        em.createNativeQuery("""            
            create or replace function returnUuidArray()
                returns uuid[]
-                stable leakproof
+                stable -- leakproof
                language plpgsql as $$
            declare
                uuid1 UUID = 'f47ac10b-58cc-4372-a567-0e02b2c3d479';