Liquibase-Scripts and database migration possible with explicit (non-superuser) DB-User

This commit is contained in:
Michael Hoennig 2024-01-11 18:05:46 +01:00
parent 70621fd482
commit db7c101691
11 changed files with 60 additions and 38 deletions

View File

@ -55,7 +55,7 @@ end; $$;
*/ */
create or replace function currentTask() create or replace function currentTask()
returns varchar(96) returns varchar(96)
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
currentTask varchar(96); currentTask varchar(96);
@ -83,7 +83,7 @@ end; $$;
*/ */
create or replace function currentRequest() create or replace function currentRequest()
returns varchar(512) returns varchar(512)
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
currentRequest varchar(512); currentRequest varchar(512);
@ -107,7 +107,7 @@ end; $$;
*/ */
create or replace function currentUser() create or replace function currentUser()
returns varchar(63) returns varchar(63)
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
currentUser varchar(63); currentUser varchar(63);
@ -131,7 +131,7 @@ end; $$;
*/ */
create or replace function assumedRoles() create or replace function assumedRoles()
returns varchar(63)[] returns varchar(63)[]
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
currentSubject varchar(63); currentSubject varchar(63);
@ -214,7 +214,7 @@ end ; $$;
create or replace function currentSubjects() create or replace function currentSubjects()
returns varchar(63)[] returns varchar(63)[]
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
assumedRoles varchar(63)[]; assumedRoles varchar(63)[];
@ -229,7 +229,7 @@ end; $$;
create or replace function hasAssumedRole() create or replace function hasAssumedRole()
returns boolean returns boolean
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
begin begin
return array_length(assumedRoles(), 1) > 0; return array_length(assumedRoles(), 1) > 0;

View File

@ -208,7 +208,7 @@ create type RbacRoleDescriptor as
create or replace function roleDescriptor(objectTable varchar(63), objectUuid uuid, roleType RbacRoleType) create or replace function roleDescriptor(objectTable varchar(63), objectUuid uuid, roleType RbacRoleType)
returns RbacRoleDescriptor returns RbacRoleDescriptor
returns null on null input returns null on null input
stable leakproof stable -- leakproof
language sql as $$ language sql as $$
select objectTable, objectUuid, roleType::RbacRoleType; select objectTable, objectUuid, roleType::RbacRoleType;
$$; $$;
@ -432,7 +432,7 @@ $$;
create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp) create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp)
returns uuid returns uuid
returns null on null input returns null on null input
stable leakproof stable -- leakproof
language sql as $$ language sql as $$
select uuid select uuid
from RbacPermission p from RbacPermission p
@ -515,7 +515,7 @@ end; $$;
create or replace function isPermissionGrantedToSubject(permissionId uuid, subjectId uuid) create or replace function isPermissionGrantedToSubject(permissionId uuid, subjectId uuid)
returns BOOL returns BOOL
stable leakproof stable -- leakproof
language sql as $$ language sql as $$
select exists( select exists(
select * select *
@ -537,7 +537,7 @@ $$;
create or replace function hasGlobalRoleGranted(userUuid uuid) create or replace function hasGlobalRoleGranted(userUuid uuid)
returns bool returns bool
stable leakproof stable -- leakproof
language sql as $$ language sql as $$
select exists( select exists(
select r.uuid select r.uuid
@ -758,13 +758,18 @@ $$;
-- ============================================================================ -- ============================================================================
--changeset rbac-base-PGSQL-ROLES:1 endDelimiter:--// --changeset rbac-base-PGSQL-ROLES:1 context:dev,tc endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
do $$
begin
if '${ADMIN_USER}'='admin' then
create role admin; create role admin;
grant all privileges on all tables in schema public to admin; grant all privileges on all tables in schema public to admin;
create role restricted; create role restricted;
grant all privileges on all tables in schema public to restricted; grant all privileges on all tables in schema public to restricted;
end if;
end $$
--// --//

View File

@ -6,7 +6,7 @@
create or replace function assumedRoleUuid() create or replace function assumedRoleUuid()
returns uuid returns uuid
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
currentSubjectsUuids uuid[]; currentSubjectsUuids uuid[];

View File

@ -7,7 +7,7 @@
create or replace function determineCurrentUserUuid(currentUser varchar) create or replace function determineCurrentUserUuid(currentUser varchar)
returns uuid returns uuid
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
currentUserUuid uuid; currentUserUuid uuid;
@ -25,7 +25,7 @@ end; $$;
create or replace function determineCurrentSubjectsUuids(currentUserUuid uuid, assumedRoles varchar) create or replace function determineCurrentSubjectsUuids(currentUserUuid uuid, assumedRoles varchar)
returns uuid[] returns uuid[]
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
roleName text; roleName text;
@ -116,7 +116,7 @@ end; $$;
create or replace function currentUserUuid() create or replace function currentUserUuid()
returns uuid returns uuid
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
currentUserUuid text; currentUserUuid text;
@ -150,7 +150,7 @@ end; $$;
*/ */
create or replace function currentSubjectsUuids() create or replace function currentSubjectsUuids()
returns uuid[] returns uuid[]
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
currentSubjectsUuids text; currentSubjectsUuids text;

View File

@ -41,7 +41,7 @@ select *
) as unordered ) as unordered
-- @formatter:on -- @formatter:on
order by objectTable || '#' || objectIdName || '.' || roleType; order by objectTable || '#' || objectIdName || '.' || roleType;
grant all privileges on rbacrole_rv to restricted; grant all privileges on rbacrole_rv to ${RESTRICTED_USER};
--// --//
@ -126,7 +126,7 @@ select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) ||
join RbacObject as o on o.uuid = r.objectUuid join RbacObject as o on o.uuid = r.objectUuid
order by grantedRoleIdName; order by grantedRoleIdName;
-- @formatter:on -- @formatter:on
grant all privileges on rbacrole_rv to restricted; grant all privileges on rbacrole_rv to ${RESTRICTED_USER};
--// --//
@ -240,7 +240,7 @@ create or replace view RbacUser_rv as
) as unordered ) as unordered
-- @formatter:on -- @formatter:on
order by unordered.name; order by unordered.name;
grant all privileges on RbacUser_rv to restricted; grant all privileges on RbacUser_rv to ${RESTRICTED_USER};
--// --//
-- ============================================================================ -- ============================================================================
@ -326,7 +326,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid,
join rbacgrants g on g.ascendantuuid = r.uuid join rbacgrants g on g.ascendantuuid = r.uuid
join rbacpermission p on p.uuid = g.descendantuuid join rbacpermission p on p.uuid = g.descendantuuid
join rbacobject o on o.uuid = p.objectuuid; join rbacobject o on o.uuid = p.objectuuid;
grant all privileges on RbacOwnGrantedPermissions_rv to restricted; grant all privileges on RbacOwnGrantedPermissions_rv to ${RESTRICTED_USER};
-- @formatter:om -- @formatter:om
-- ============================================================================ -- ============================================================================

View File

@ -104,7 +104,7 @@ begin
create or replace view %1$s_iv as create or replace view %1$s_iv as
select target.uuid, cleanIdentifier(%2$s) as idName select target.uuid, cleanIdentifier(%2$s) as idName
from %1$s as target; from %1$s as target;
grant all privileges on %1$s_iv to restricted; grant all privileges on %1$s_iv to ${RESTRICTED_USER};
$sql$, targetTable, idNameExpression); $sql$, targetTable, idNameExpression);
execute sql; execute sql;
@ -157,7 +157,7 @@ begin
from %1$s as target from %1$s as target
where target.uuid in (select * from accessibleObjects) where target.uuid in (select * from accessibleObjects)
order by %2$s; order by %2$s;
grant all privileges on %1$s_rv to restricted; grant all privileges on %1$s_rv to ${RESTRICTED_USER};
$sql$, targetTable, orderBy); $sql$, targetTable, orderBy);
execute sql; execute sql;

View File

@ -18,7 +18,7 @@ create table Global
); );
create unique index Global_Singleton on Global ((0)); create unique index Global_Singleton on Global ((0));
grant select on global to restricted; grant select on global to ${RESTRICTED_USER};
--// --//
@ -48,7 +48,7 @@ drop view if exists global_iv;
create or replace view global_iv as create or replace view global_iv as
select target.uuid, target.name as idName select target.uuid, target.name as idName
from global as target; from global as target;
grant all privileges on global_iv to restricted; grant all privileges on global_iv to ${RESTRICTED_USER};
/* /*
Returns the objectUuid for a given identifying name (in this case the idName). Returns the objectUuid for a given identifying name (in this case the idName).
@ -99,7 +99,7 @@ commit;
create or replace function globalAdmin() create or replace function globalAdmin()
returns RbacRoleDescriptor returns RbacRoleDescriptor
returns null on null input returns null on null input
stable leakproof stable -- leakproof
language sql as $$ language sql as $$
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType; select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
$$; $$;

View File

@ -93,7 +93,7 @@ call generateRbacIdentityView('test_package', 'target.name');
-- from test_package as target -- from test_package as target
-- where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids())) -- where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
-- order by target.name; -- order by target.name;
-- grant all privileges on test_package_rv to restricted; -- grant all privileges on test_package_rv to ${RESTRICTED_USER};
call generateRbacRestrictedView('test_package', 'target.name', call generateRbacRestrictedView('test_package', 'target.name',
$updates$ $updates$

View File

@ -110,5 +110,5 @@ create or replace view test_domain_rv as
select target.* select target.*
from test_domain as target from test_domain as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids())); where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids()));
grant all privileges on test_domain_rv to restricted; grant all privileges on test_domain_rv to ${RESTRICTED_USER};
--// --//

View File

@ -54,10 +54,27 @@ import static org.assertj.core.api.Assertions.assertThat;
* There is some test data in Java resources to verify the data conversion. * There is some test data in Java resources to verify the data conversion.
* For a real import a main method will be added later * For a real import a main method will be added later
* which reads CSV files from the file system. * which reads CSV files from the file system.
*
* When run on a Hostsharing database, it needs the following settings (hsh99_... just examples):
*
* CREATE USER hsh99_admin WITH PASSWORD 'password';
* GRANT ALL ON SCHEMA public TO hsh99_admin;
*
* CREATE USER hsh99_restricted WITH PASSWORD 'password';
* GRANT ALL PRIVILEGES ON ALL TALBES IN SCHEMA hsh99_hsadminng to hsh99_restricted
*
* CREATE EXTENSION "uuid-ossp";
*
* And the environment variables ADMIN_USER and RESTRICTED_USER have to be set to the actual users.
* TODO: password
*/ */
// @Disabled
@Disabled @DataJpaTest(properties = {
@DataJpaTest(properties = "spring.datasource.url=jdbc:postgresql://localhost:5432/postgres") "spring.profiles.active=migration",
"spring.datasource.url=jdbc:postgresql://localhost:5432/postgres",
"spring.datasource.username=hsh99_admin",
"spring.datasource.password=password"
})
@Import({ Context.class, JpaAttempt.class }) @Import({ Context.class, JpaAttempt.class })
@TestMethodOrder(MethodOrderer.OrderAnnotation.class) @TestMethodOrder(MethodOrderer.OrderAnnotation.class)
public class ImportOfficeTables extends ContextBasedTest { public class ImportOfficeTables extends ContextBasedTest {

View File

@ -22,7 +22,7 @@ class PostgresArrayIntegrationTest {
em.createNativeQuery(""" em.createNativeQuery("""
create or replace function returnEmptyArray() create or replace function returnEmptyArray()
returns text[] returns text[]
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
emptyArray text[] = '{}'; emptyArray text[] = '{}';
@ -42,7 +42,7 @@ class PostgresArrayIntegrationTest {
em.createNativeQuery(""" em.createNativeQuery("""
create or replace function returnStringArray() create or replace function returnStringArray()
returns varchar(63)[] returns varchar(63)[]
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
text1 text = 'one'; text1 text = 'one';
@ -65,7 +65,7 @@ class PostgresArrayIntegrationTest {
em.createNativeQuery(""" em.createNativeQuery("""
create or replace function returnUuidArray() create or replace function returnUuidArray()
returns uuid[] returns uuid[]
stable leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
declare declare
uuid1 UUID = 'f47ac10b-58cc-4372-a567-0e02b2c3d479'; uuid1 UUID = 'f47ac10b-58cc-4372-a567-0e02b2c3d479';