Liquibase-Scripts and database migration possible with explicit (non-superuser) DB-User
This commit is contained in:
parent
70621fd482
commit
db7c101691
@ -55,7 +55,7 @@ end; $$;
|
|||||||
*/
|
*/
|
||||||
create or replace function currentTask()
|
create or replace function currentTask()
|
||||||
returns varchar(96)
|
returns varchar(96)
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
currentTask varchar(96);
|
currentTask varchar(96);
|
||||||
@ -83,7 +83,7 @@ end; $$;
|
|||||||
*/
|
*/
|
||||||
create or replace function currentRequest()
|
create or replace function currentRequest()
|
||||||
returns varchar(512)
|
returns varchar(512)
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
currentRequest varchar(512);
|
currentRequest varchar(512);
|
||||||
@ -107,7 +107,7 @@ end; $$;
|
|||||||
*/
|
*/
|
||||||
create or replace function currentUser()
|
create or replace function currentUser()
|
||||||
returns varchar(63)
|
returns varchar(63)
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
currentUser varchar(63);
|
currentUser varchar(63);
|
||||||
@ -131,7 +131,7 @@ end; $$;
|
|||||||
*/
|
*/
|
||||||
create or replace function assumedRoles()
|
create or replace function assumedRoles()
|
||||||
returns varchar(63)[]
|
returns varchar(63)[]
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
currentSubject varchar(63);
|
currentSubject varchar(63);
|
||||||
@ -214,7 +214,7 @@ end ; $$;
|
|||||||
|
|
||||||
create or replace function currentSubjects()
|
create or replace function currentSubjects()
|
||||||
returns varchar(63)[]
|
returns varchar(63)[]
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
assumedRoles varchar(63)[];
|
assumedRoles varchar(63)[];
|
||||||
@ -229,7 +229,7 @@ end; $$;
|
|||||||
|
|
||||||
create or replace function hasAssumedRole()
|
create or replace function hasAssumedRole()
|
||||||
returns boolean
|
returns boolean
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
return array_length(assumedRoles(), 1) > 0;
|
return array_length(assumedRoles(), 1) > 0;
|
||||||
|
@ -208,7 +208,7 @@ create type RbacRoleDescriptor as
|
|||||||
create or replace function roleDescriptor(objectTable varchar(63), objectUuid uuid, roleType RbacRoleType)
|
create or replace function roleDescriptor(objectTable varchar(63), objectUuid uuid, roleType RbacRoleType)
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select objectTable, objectUuid, roleType::RbacRoleType;
|
select objectTable, objectUuid, roleType::RbacRoleType;
|
||||||
$$;
|
$$;
|
||||||
@ -432,7 +432,7 @@ $$;
|
|||||||
create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp)
|
create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp)
|
||||||
returns uuid
|
returns uuid
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select uuid
|
select uuid
|
||||||
from RbacPermission p
|
from RbacPermission p
|
||||||
@ -515,7 +515,7 @@ end; $$;
|
|||||||
|
|
||||||
create or replace function isPermissionGrantedToSubject(permissionId uuid, subjectId uuid)
|
create or replace function isPermissionGrantedToSubject(permissionId uuid, subjectId uuid)
|
||||||
returns BOOL
|
returns BOOL
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select exists(
|
select exists(
|
||||||
select *
|
select *
|
||||||
@ -537,7 +537,7 @@ $$;
|
|||||||
|
|
||||||
create or replace function hasGlobalRoleGranted(userUuid uuid)
|
create or replace function hasGlobalRoleGranted(userUuid uuid)
|
||||||
returns bool
|
returns bool
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select exists(
|
select exists(
|
||||||
select r.uuid
|
select r.uuid
|
||||||
@ -758,13 +758,18 @@ $$;
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-base-PGSQL-ROLES:1 endDelimiter:--//
|
--changeset rbac-base-PGSQL-ROLES:1 context:dev,tc endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
do $$
|
||||||
|
begin
|
||||||
|
if '${ADMIN_USER}'='admin' then
|
||||||
create role admin;
|
create role admin;
|
||||||
grant all privileges on all tables in schema public to admin;
|
grant all privileges on all tables in schema public to admin;
|
||||||
|
|
||||||
create role restricted;
|
create role restricted;
|
||||||
grant all privileges on all tables in schema public to restricted;
|
grant all privileges on all tables in schema public to restricted;
|
||||||
|
end if;
|
||||||
|
end $$
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
create or replace function assumedRoleUuid()
|
create or replace function assumedRoleUuid()
|
||||||
returns uuid
|
returns uuid
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
currentSubjectsUuids uuid[];
|
currentSubjectsUuids uuid[];
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
|
|
||||||
create or replace function determineCurrentUserUuid(currentUser varchar)
|
create or replace function determineCurrentUserUuid(currentUser varchar)
|
||||||
returns uuid
|
returns uuid
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
currentUserUuid uuid;
|
currentUserUuid uuid;
|
||||||
@ -25,7 +25,7 @@ end; $$;
|
|||||||
|
|
||||||
create or replace function determineCurrentSubjectsUuids(currentUserUuid uuid, assumedRoles varchar)
|
create or replace function determineCurrentSubjectsUuids(currentUserUuid uuid, assumedRoles varchar)
|
||||||
returns uuid[]
|
returns uuid[]
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
roleName text;
|
roleName text;
|
||||||
@ -116,7 +116,7 @@ end; $$;
|
|||||||
|
|
||||||
create or replace function currentUserUuid()
|
create or replace function currentUserUuid()
|
||||||
returns uuid
|
returns uuid
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
currentUserUuid text;
|
currentUserUuid text;
|
||||||
@ -150,7 +150,7 @@ end; $$;
|
|||||||
*/
|
*/
|
||||||
create or replace function currentSubjectsUuids()
|
create or replace function currentSubjectsUuids()
|
||||||
returns uuid[]
|
returns uuid[]
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
currentSubjectsUuids text;
|
currentSubjectsUuids text;
|
||||||
|
@ -41,7 +41,7 @@ select *
|
|||||||
) as unordered
|
) as unordered
|
||||||
-- @formatter:on
|
-- @formatter:on
|
||||||
order by objectTable || '#' || objectIdName || '.' || roleType;
|
order by objectTable || '#' || objectIdName || '.' || roleType;
|
||||||
grant all privileges on rbacrole_rv to restricted;
|
grant all privileges on rbacrole_rv to ${RESTRICTED_USER};
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
@ -126,7 +126,7 @@ select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) ||
|
|||||||
join RbacObject as o on o.uuid = r.objectUuid
|
join RbacObject as o on o.uuid = r.objectUuid
|
||||||
order by grantedRoleIdName;
|
order by grantedRoleIdName;
|
||||||
-- @formatter:on
|
-- @formatter:on
|
||||||
grant all privileges on rbacrole_rv to restricted;
|
grant all privileges on rbacrole_rv to ${RESTRICTED_USER};
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
@ -240,7 +240,7 @@ create or replace view RbacUser_rv as
|
|||||||
) as unordered
|
) as unordered
|
||||||
-- @formatter:on
|
-- @formatter:on
|
||||||
order by unordered.name;
|
order by unordered.name;
|
||||||
grant all privileges on RbacUser_rv to restricted;
|
grant all privileges on RbacUser_rv to ${RESTRICTED_USER};
|
||||||
--//
|
--//
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
@ -326,7 +326,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid,
|
|||||||
join rbacgrants g on g.ascendantuuid = r.uuid
|
join rbacgrants g on g.ascendantuuid = r.uuid
|
||||||
join rbacpermission p on p.uuid = g.descendantuuid
|
join rbacpermission p on p.uuid = g.descendantuuid
|
||||||
join rbacobject o on o.uuid = p.objectuuid;
|
join rbacobject o on o.uuid = p.objectuuid;
|
||||||
grant all privileges on RbacOwnGrantedPermissions_rv to restricted;
|
grant all privileges on RbacOwnGrantedPermissions_rv to ${RESTRICTED_USER};
|
||||||
-- @formatter:om
|
-- @formatter:om
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
|
@ -104,7 +104,7 @@ begin
|
|||||||
create or replace view %1$s_iv as
|
create or replace view %1$s_iv as
|
||||||
select target.uuid, cleanIdentifier(%2$s) as idName
|
select target.uuid, cleanIdentifier(%2$s) as idName
|
||||||
from %1$s as target;
|
from %1$s as target;
|
||||||
grant all privileges on %1$s_iv to restricted;
|
grant all privileges on %1$s_iv to ${RESTRICTED_USER};
|
||||||
$sql$, targetTable, idNameExpression);
|
$sql$, targetTable, idNameExpression);
|
||||||
execute sql;
|
execute sql;
|
||||||
|
|
||||||
@ -157,7 +157,7 @@ begin
|
|||||||
from %1$s as target
|
from %1$s as target
|
||||||
where target.uuid in (select * from accessibleObjects)
|
where target.uuid in (select * from accessibleObjects)
|
||||||
order by %2$s;
|
order by %2$s;
|
||||||
grant all privileges on %1$s_rv to restricted;
|
grant all privileges on %1$s_rv to ${RESTRICTED_USER};
|
||||||
$sql$, targetTable, orderBy);
|
$sql$, targetTable, orderBy);
|
||||||
execute sql;
|
execute sql;
|
||||||
|
|
||||||
|
@ -18,7 +18,7 @@ create table Global
|
|||||||
);
|
);
|
||||||
create unique index Global_Singleton on Global ((0));
|
create unique index Global_Singleton on Global ((0));
|
||||||
|
|
||||||
grant select on global to restricted;
|
grant select on global to ${RESTRICTED_USER};
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
@ -48,7 +48,7 @@ drop view if exists global_iv;
|
|||||||
create or replace view global_iv as
|
create or replace view global_iv as
|
||||||
select target.uuid, target.name as idName
|
select target.uuid, target.name as idName
|
||||||
from global as target;
|
from global as target;
|
||||||
grant all privileges on global_iv to restricted;
|
grant all privileges on global_iv to ${RESTRICTED_USER};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Returns the objectUuid for a given identifying name (in this case the idName).
|
Returns the objectUuid for a given identifying name (in this case the idName).
|
||||||
@ -99,7 +99,7 @@ commit;
|
|||||||
create or replace function globalAdmin()
|
create or replace function globalAdmin()
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
|
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
|
||||||
$$;
|
$$;
|
||||||
|
@ -93,7 +93,7 @@ call generateRbacIdentityView('test_package', 'target.name');
|
|||||||
-- from test_package as target
|
-- from test_package as target
|
||||||
-- where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
|
-- where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
|
||||||
-- order by target.name;
|
-- order by target.name;
|
||||||
-- grant all privileges on test_package_rv to restricted;
|
-- grant all privileges on test_package_rv to ${RESTRICTED_USER};
|
||||||
|
|
||||||
call generateRbacRestrictedView('test_package', 'target.name',
|
call generateRbacRestrictedView('test_package', 'target.name',
|
||||||
$updates$
|
$updates$
|
||||||
|
@ -110,5 +110,5 @@ create or replace view test_domain_rv as
|
|||||||
select target.*
|
select target.*
|
||||||
from test_domain as target
|
from test_domain as target
|
||||||
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids()));
|
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids()));
|
||||||
grant all privileges on test_domain_rv to restricted;
|
grant all privileges on test_domain_rv to ${RESTRICTED_USER};
|
||||||
--//
|
--//
|
||||||
|
@ -54,10 +54,27 @@ import static org.assertj.core.api.Assertions.assertThat;
|
|||||||
* There is some test data in Java resources to verify the data conversion.
|
* There is some test data in Java resources to verify the data conversion.
|
||||||
* For a real import a main method will be added later
|
* For a real import a main method will be added later
|
||||||
* which reads CSV files from the file system.
|
* which reads CSV files from the file system.
|
||||||
|
*
|
||||||
|
* When run on a Hostsharing database, it needs the following settings (hsh99_... just examples):
|
||||||
|
*
|
||||||
|
* CREATE USER hsh99_admin WITH PASSWORD 'password';
|
||||||
|
* GRANT ALL ON SCHEMA public TO hsh99_admin;
|
||||||
|
*
|
||||||
|
* CREATE USER hsh99_restricted WITH PASSWORD 'password';
|
||||||
|
* GRANT ALL PRIVILEGES ON ALL TALBES IN SCHEMA hsh99_hsadminng to hsh99_restricted
|
||||||
|
*
|
||||||
|
* CREATE EXTENSION "uuid-ossp";
|
||||||
|
*
|
||||||
|
* And the environment variables ADMIN_USER and RESTRICTED_USER have to be set to the actual users.
|
||||||
|
* TODO: password
|
||||||
*/
|
*/
|
||||||
|
// @Disabled
|
||||||
@Disabled
|
@DataJpaTest(properties = {
|
||||||
@DataJpaTest(properties = "spring.datasource.url=jdbc:postgresql://localhost:5432/postgres")
|
"spring.profiles.active=migration",
|
||||||
|
"spring.datasource.url=jdbc:postgresql://localhost:5432/postgres",
|
||||||
|
"spring.datasource.username=hsh99_admin",
|
||||||
|
"spring.datasource.password=password"
|
||||||
|
})
|
||||||
@Import({ Context.class, JpaAttempt.class })
|
@Import({ Context.class, JpaAttempt.class })
|
||||||
@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
|
@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
|
||||||
public class ImportOfficeTables extends ContextBasedTest {
|
public class ImportOfficeTables extends ContextBasedTest {
|
||||||
|
@ -22,7 +22,7 @@ class PostgresArrayIntegrationTest {
|
|||||||
em.createNativeQuery("""
|
em.createNativeQuery("""
|
||||||
create or replace function returnEmptyArray()
|
create or replace function returnEmptyArray()
|
||||||
returns text[]
|
returns text[]
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
emptyArray text[] = '{}';
|
emptyArray text[] = '{}';
|
||||||
@ -42,7 +42,7 @@ class PostgresArrayIntegrationTest {
|
|||||||
em.createNativeQuery("""
|
em.createNativeQuery("""
|
||||||
create or replace function returnStringArray()
|
create or replace function returnStringArray()
|
||||||
returns varchar(63)[]
|
returns varchar(63)[]
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
text1 text = 'one';
|
text1 text = 'one';
|
||||||
@ -65,7 +65,7 @@ class PostgresArrayIntegrationTest {
|
|||||||
em.createNativeQuery("""
|
em.createNativeQuery("""
|
||||||
create or replace function returnUuidArray()
|
create or replace function returnUuidArray()
|
||||||
returns uuid[]
|
returns uuid[]
|
||||||
stable leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
uuid1 UUID = 'f47ac10b-58cc-4372-a567-0e02b2c3d479';
|
uuid1 UUID = 'f47ac10b-58cc-4372-a567-0e02b2c3d479';
|
||||||
|
Loading…
Reference in New Issue
Block a user