Liquibase-Scripts and database migration possible with explicit (non-superuser) DB-User
This commit is contained in:
parent
70621fd482
commit
db7c101691
@ -55,7 +55,7 @@ end; $$;
|
||||
*/
|
||||
create or replace function currentTask()
|
||||
returns varchar(96)
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
currentTask varchar(96);
|
||||
@ -83,7 +83,7 @@ end; $$;
|
||||
*/
|
||||
create or replace function currentRequest()
|
||||
returns varchar(512)
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
currentRequest varchar(512);
|
||||
@ -107,7 +107,7 @@ end; $$;
|
||||
*/
|
||||
create or replace function currentUser()
|
||||
returns varchar(63)
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
currentUser varchar(63);
|
||||
@ -131,7 +131,7 @@ end; $$;
|
||||
*/
|
||||
create or replace function assumedRoles()
|
||||
returns varchar(63)[]
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
currentSubject varchar(63);
|
||||
@ -214,7 +214,7 @@ end ; $$;
|
||||
|
||||
create or replace function currentSubjects()
|
||||
returns varchar(63)[]
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
assumedRoles varchar(63)[];
|
||||
@ -229,7 +229,7 @@ end; $$;
|
||||
|
||||
create or replace function hasAssumedRole()
|
||||
returns boolean
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return array_length(assumedRoles(), 1) > 0;
|
||||
|
@ -208,7 +208,7 @@ create type RbacRoleDescriptor as
|
||||
create or replace function roleDescriptor(objectTable varchar(63), objectUuid uuid, roleType RbacRoleType)
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
select objectTable, objectUuid, roleType::RbacRoleType;
|
||||
$$;
|
||||
@ -432,7 +432,7 @@ $$;
|
||||
create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
select uuid
|
||||
from RbacPermission p
|
||||
@ -515,7 +515,7 @@ end; $$;
|
||||
|
||||
create or replace function isPermissionGrantedToSubject(permissionId uuid, subjectId uuid)
|
||||
returns BOOL
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
select exists(
|
||||
select *
|
||||
@ -537,7 +537,7 @@ $$;
|
||||
|
||||
create or replace function hasGlobalRoleGranted(userUuid uuid)
|
||||
returns bool
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
select exists(
|
||||
select r.uuid
|
||||
@ -758,13 +758,18 @@ $$;
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-base-PGSQL-ROLES:1 endDelimiter:--//
|
||||
--changeset rbac-base-PGSQL-ROLES:1 context:dev,tc endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
do $$
|
||||
begin
|
||||
if '${ADMIN_USER}'='admin' then
|
||||
create role admin;
|
||||
grant all privileges on all tables in schema public to admin;
|
||||
|
||||
create role restricted;
|
||||
grant all privileges on all tables in schema public to restricted;
|
||||
|
||||
end if;
|
||||
end $$
|
||||
--//
|
||||
|
||||
|
@ -6,7 +6,7 @@
|
||||
|
||||
create or replace function assumedRoleUuid()
|
||||
returns uuid
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
currentSubjectsUuids uuid[];
|
||||
|
@ -7,7 +7,7 @@
|
||||
|
||||
create or replace function determineCurrentUserUuid(currentUser varchar)
|
||||
returns uuid
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
currentUserUuid uuid;
|
||||
@ -25,7 +25,7 @@ end; $$;
|
||||
|
||||
create or replace function determineCurrentSubjectsUuids(currentUserUuid uuid, assumedRoles varchar)
|
||||
returns uuid[]
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
roleName text;
|
||||
@ -116,7 +116,7 @@ end; $$;
|
||||
|
||||
create or replace function currentUserUuid()
|
||||
returns uuid
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
currentUserUuid text;
|
||||
@ -150,7 +150,7 @@ end; $$;
|
||||
*/
|
||||
create or replace function currentSubjectsUuids()
|
||||
returns uuid[]
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
currentSubjectsUuids text;
|
||||
|
@ -41,7 +41,7 @@ select *
|
||||
) as unordered
|
||||
-- @formatter:on
|
||||
order by objectTable || '#' || objectIdName || '.' || roleType;
|
||||
grant all privileges on rbacrole_rv to restricted;
|
||||
grant all privileges on rbacrole_rv to ${RESTRICTED_USER};
|
||||
--//
|
||||
|
||||
|
||||
@ -126,7 +126,7 @@ select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) ||
|
||||
join RbacObject as o on o.uuid = r.objectUuid
|
||||
order by grantedRoleIdName;
|
||||
-- @formatter:on
|
||||
grant all privileges on rbacrole_rv to restricted;
|
||||
grant all privileges on rbacrole_rv to ${RESTRICTED_USER};
|
||||
--//
|
||||
|
||||
|
||||
@ -240,7 +240,7 @@ create or replace view RbacUser_rv as
|
||||
) as unordered
|
||||
-- @formatter:on
|
||||
order by unordered.name;
|
||||
grant all privileges on RbacUser_rv to restricted;
|
||||
grant all privileges on RbacUser_rv to ${RESTRICTED_USER};
|
||||
--//
|
||||
|
||||
-- ============================================================================
|
||||
@ -326,7 +326,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid,
|
||||
join rbacgrants g on g.ascendantuuid = r.uuid
|
||||
join rbacpermission p on p.uuid = g.descendantuuid
|
||||
join rbacobject o on o.uuid = p.objectuuid;
|
||||
grant all privileges on RbacOwnGrantedPermissions_rv to restricted;
|
||||
grant all privileges on RbacOwnGrantedPermissions_rv to ${RESTRICTED_USER};
|
||||
-- @formatter:om
|
||||
|
||||
-- ============================================================================
|
||||
|
@ -104,7 +104,7 @@ begin
|
||||
create or replace view %1$s_iv as
|
||||
select target.uuid, cleanIdentifier(%2$s) as idName
|
||||
from %1$s as target;
|
||||
grant all privileges on %1$s_iv to restricted;
|
||||
grant all privileges on %1$s_iv to ${RESTRICTED_USER};
|
||||
$sql$, targetTable, idNameExpression);
|
||||
execute sql;
|
||||
|
||||
@ -157,7 +157,7 @@ begin
|
||||
from %1$s as target
|
||||
where target.uuid in (select * from accessibleObjects)
|
||||
order by %2$s;
|
||||
grant all privileges on %1$s_rv to restricted;
|
||||
grant all privileges on %1$s_rv to ${RESTRICTED_USER};
|
||||
$sql$, targetTable, orderBy);
|
||||
execute sql;
|
||||
|
||||
|
@ -18,7 +18,7 @@ create table Global
|
||||
);
|
||||
create unique index Global_Singleton on Global ((0));
|
||||
|
||||
grant select on global to restricted;
|
||||
grant select on global to ${RESTRICTED_USER};
|
||||
--//
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@ drop view if exists global_iv;
|
||||
create or replace view global_iv as
|
||||
select target.uuid, target.name as idName
|
||||
from global as target;
|
||||
grant all privileges on global_iv to restricted;
|
||||
grant all privileges on global_iv to ${RESTRICTED_USER};
|
||||
|
||||
/*
|
||||
Returns the objectUuid for a given identifying name (in this case the idName).
|
||||
@ -99,7 +99,7 @@ commit;
|
||||
create or replace function globalAdmin()
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
|
||||
$$;
|
||||
|
@ -93,7 +93,7 @@ call generateRbacIdentityView('test_package', 'target.name');
|
||||
-- from test_package as target
|
||||
-- where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
|
||||
-- order by target.name;
|
||||
-- grant all privileges on test_package_rv to restricted;
|
||||
-- grant all privileges on test_package_rv to ${RESTRICTED_USER};
|
||||
|
||||
call generateRbacRestrictedView('test_package', 'target.name',
|
||||
$updates$
|
||||
|
@ -110,5 +110,5 @@ create or replace view test_domain_rv as
|
||||
select target.*
|
||||
from test_domain as target
|
||||
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids()));
|
||||
grant all privileges on test_domain_rv to restricted;
|
||||
grant all privileges on test_domain_rv to ${RESTRICTED_USER};
|
||||
--//
|
||||
|
@ -54,10 +54,27 @@ import static org.assertj.core.api.Assertions.assertThat;
|
||||
* There is some test data in Java resources to verify the data conversion.
|
||||
* For a real import a main method will be added later
|
||||
* which reads CSV files from the file system.
|
||||
*
|
||||
* When run on a Hostsharing database, it needs the following settings (hsh99_... just examples):
|
||||
*
|
||||
* CREATE USER hsh99_admin WITH PASSWORD 'password';
|
||||
* GRANT ALL ON SCHEMA public TO hsh99_admin;
|
||||
*
|
||||
* CREATE USER hsh99_restricted WITH PASSWORD 'password';
|
||||
* GRANT ALL PRIVILEGES ON ALL TALBES IN SCHEMA hsh99_hsadminng to hsh99_restricted
|
||||
*
|
||||
* CREATE EXTENSION "uuid-ossp";
|
||||
*
|
||||
* And the environment variables ADMIN_USER and RESTRICTED_USER have to be set to the actual users.
|
||||
* TODO: password
|
||||
*/
|
||||
|
||||
@Disabled
|
||||
@DataJpaTest(properties = "spring.datasource.url=jdbc:postgresql://localhost:5432/postgres")
|
||||
// @Disabled
|
||||
@DataJpaTest(properties = {
|
||||
"spring.profiles.active=migration",
|
||||
"spring.datasource.url=jdbc:postgresql://localhost:5432/postgres",
|
||||
"spring.datasource.username=hsh99_admin",
|
||||
"spring.datasource.password=password"
|
||||
})
|
||||
@Import({ Context.class, JpaAttempt.class })
|
||||
@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
|
||||
public class ImportOfficeTables extends ContextBasedTest {
|
||||
|
@ -22,7 +22,7 @@ class PostgresArrayIntegrationTest {
|
||||
em.createNativeQuery("""
|
||||
create or replace function returnEmptyArray()
|
||||
returns text[]
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
emptyArray text[] = '{}';
|
||||
@ -42,7 +42,7 @@ class PostgresArrayIntegrationTest {
|
||||
em.createNativeQuery("""
|
||||
create or replace function returnStringArray()
|
||||
returns varchar(63)[]
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
text1 text = 'one';
|
||||
@ -65,7 +65,7 @@ class PostgresArrayIntegrationTest {
|
||||
em.createNativeQuery("""
|
||||
create or replace function returnUuidArray()
|
||||
returns uuid[]
|
||||
stable leakproof
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
uuid1 UUID = 'f47ac10b-58cc-4372-a567-0e02b2c3d479';
|
||||
|
Loading…
Reference in New Issue
Block a user