Liquibase-Scripts and database migration possible with explicit (non-superuser) DB-User

This commit is contained in:
Michael Hoennig 2024-01-11 18:05:46 +01:00
parent 70621fd482
commit db7c101691
11 changed files with 60 additions and 38 deletions

View File

@ -55,7 +55,7 @@ end; $$;
*/
create or replace function currentTask()
returns varchar(96)
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
currentTask varchar(96);
@ -83,7 +83,7 @@ end; $$;
*/
create or replace function currentRequest()
returns varchar(512)
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
currentRequest varchar(512);
@ -107,7 +107,7 @@ end; $$;
*/
create or replace function currentUser()
returns varchar(63)
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
currentUser varchar(63);
@ -131,7 +131,7 @@ end; $$;
*/
create or replace function assumedRoles()
returns varchar(63)[]
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
currentSubject varchar(63);
@ -214,7 +214,7 @@ end ; $$;
create or replace function currentSubjects()
returns varchar(63)[]
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
assumedRoles varchar(63)[];
@ -229,7 +229,7 @@ end; $$;
create or replace function hasAssumedRole()
returns boolean
stable leakproof
stable -- leakproof
language plpgsql as $$
begin
return array_length(assumedRoles(), 1) > 0;

View File

@ -208,7 +208,7 @@ create type RbacRoleDescriptor as
create or replace function roleDescriptor(objectTable varchar(63), objectUuid uuid, roleType RbacRoleType)
returns RbacRoleDescriptor
returns null on null input
stable leakproof
stable -- leakproof
language sql as $$
select objectTable, objectUuid, roleType::RbacRoleType;
$$;
@ -432,7 +432,7 @@ $$;
create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp)
returns uuid
returns null on null input
stable leakproof
stable -- leakproof
language sql as $$
select uuid
from RbacPermission p
@ -515,7 +515,7 @@ end; $$;
create or replace function isPermissionGrantedToSubject(permissionId uuid, subjectId uuid)
returns BOOL
stable leakproof
stable -- leakproof
language sql as $$
select exists(
select *
@ -537,7 +537,7 @@ $$;
create or replace function hasGlobalRoleGranted(userUuid uuid)
returns bool
stable leakproof
stable -- leakproof
language sql as $$
select exists(
select r.uuid
@ -758,13 +758,18 @@ $$;
-- ============================================================================
--changeset rbac-base-PGSQL-ROLES:1 endDelimiter:--//
--changeset rbac-base-PGSQL-ROLES:1 context:dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
create role admin;
grant all privileges on all tables in schema public to admin;
create role restricted;
grant all privileges on all tables in schema public to restricted;
do $$
begin
if '${ADMIN_USER}'='admin' then
create role admin;
grant all privileges on all tables in schema public to admin;
create role restricted;
grant all privileges on all tables in schema public to restricted;
end if;
end $$
--//

View File

@ -6,7 +6,7 @@
create or replace function assumedRoleUuid()
returns uuid
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
currentSubjectsUuids uuid[];

View File

@ -7,7 +7,7 @@
create or replace function determineCurrentUserUuid(currentUser varchar)
returns uuid
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
currentUserUuid uuid;
@ -25,7 +25,7 @@ end; $$;
create or replace function determineCurrentSubjectsUuids(currentUserUuid uuid, assumedRoles varchar)
returns uuid[]
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
roleName text;
@ -116,7 +116,7 @@ end; $$;
create or replace function currentUserUuid()
returns uuid
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
currentUserUuid text;
@ -150,7 +150,7 @@ end; $$;
*/
create or replace function currentSubjectsUuids()
returns uuid[]
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
currentSubjectsUuids text;

View File

@ -41,7 +41,7 @@ select *
) as unordered
-- @formatter:on
order by objectTable || '#' || objectIdName || '.' || roleType;
grant all privileges on rbacrole_rv to restricted;
grant all privileges on rbacrole_rv to ${RESTRICTED_USER};
--//
@ -126,7 +126,7 @@ select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) ||
join RbacObject as o on o.uuid = r.objectUuid
order by grantedRoleIdName;
-- @formatter:on
grant all privileges on rbacrole_rv to restricted;
grant all privileges on rbacrole_rv to ${RESTRICTED_USER};
--//
@ -240,7 +240,7 @@ create or replace view RbacUser_rv as
) as unordered
-- @formatter:on
order by unordered.name;
grant all privileges on RbacUser_rv to restricted;
grant all privileges on RbacUser_rv to ${RESTRICTED_USER};
--//
-- ============================================================================
@ -326,7 +326,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid,
join rbacgrants g on g.ascendantuuid = r.uuid
join rbacpermission p on p.uuid = g.descendantuuid
join rbacobject o on o.uuid = p.objectuuid;
grant all privileges on RbacOwnGrantedPermissions_rv to restricted;
grant all privileges on RbacOwnGrantedPermissions_rv to ${RESTRICTED_USER};
-- @formatter:om
-- ============================================================================

View File

@ -104,7 +104,7 @@ begin
create or replace view %1$s_iv as
select target.uuid, cleanIdentifier(%2$s) as idName
from %1$s as target;
grant all privileges on %1$s_iv to restricted;
grant all privileges on %1$s_iv to ${RESTRICTED_USER};
$sql$, targetTable, idNameExpression);
execute sql;
@ -157,7 +157,7 @@ begin
from %1$s as target
where target.uuid in (select * from accessibleObjects)
order by %2$s;
grant all privileges on %1$s_rv to restricted;
grant all privileges on %1$s_rv to ${RESTRICTED_USER};
$sql$, targetTable, orderBy);
execute sql;

View File

@ -18,7 +18,7 @@ create table Global
);
create unique index Global_Singleton on Global ((0));
grant select on global to restricted;
grant select on global to ${RESTRICTED_USER};
--//
@ -48,7 +48,7 @@ drop view if exists global_iv;
create or replace view global_iv as
select target.uuid, target.name as idName
from global as target;
grant all privileges on global_iv to restricted;
grant all privileges on global_iv to ${RESTRICTED_USER};
/*
Returns the objectUuid for a given identifying name (in this case the idName).
@ -99,7 +99,7 @@ commit;
create or replace function globalAdmin()
returns RbacRoleDescriptor
returns null on null input
stable leakproof
stable -- leakproof
language sql as $$
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
$$;

View File

@ -93,7 +93,7 @@ call generateRbacIdentityView('test_package', 'target.name');
-- from test_package as target
-- where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
-- order by target.name;
-- grant all privileges on test_package_rv to restricted;
-- grant all privileges on test_package_rv to ${RESTRICTED_USER};
call generateRbacRestrictedView('test_package', 'target.name',
$updates$

View File

@ -110,5 +110,5 @@ create or replace view test_domain_rv as
select target.*
from test_domain as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids()));
grant all privileges on test_domain_rv to restricted;
grant all privileges on test_domain_rv to ${RESTRICTED_USER};
--//

View File

@ -54,10 +54,27 @@ import static org.assertj.core.api.Assertions.assertThat;
* There is some test data in Java resources to verify the data conversion.
* For a real import a main method will be added later
* which reads CSV files from the file system.
*
* When run on a Hostsharing database, it needs the following settings (hsh99_... just examples):
*
* CREATE USER hsh99_admin WITH PASSWORD 'password';
* GRANT ALL ON SCHEMA public TO hsh99_admin;
*
* CREATE USER hsh99_restricted WITH PASSWORD 'password';
* GRANT ALL PRIVILEGES ON ALL TALBES IN SCHEMA hsh99_hsadminng to hsh99_restricted
*
* CREATE EXTENSION "uuid-ossp";
*
* And the environment variables ADMIN_USER and RESTRICTED_USER have to be set to the actual users.
* TODO: password
*/
@Disabled
@DataJpaTest(properties = "spring.datasource.url=jdbc:postgresql://localhost:5432/postgres")
// @Disabled
@DataJpaTest(properties = {
"spring.profiles.active=migration",
"spring.datasource.url=jdbc:postgresql://localhost:5432/postgres",
"spring.datasource.username=hsh99_admin",
"spring.datasource.password=password"
})
@Import({ Context.class, JpaAttempt.class })
@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
public class ImportOfficeTables extends ContextBasedTest {

View File

@ -22,7 +22,7 @@ class PostgresArrayIntegrationTest {
em.createNativeQuery("""
create or replace function returnEmptyArray()
returns text[]
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
emptyArray text[] = '{}';
@ -42,7 +42,7 @@ class PostgresArrayIntegrationTest {
em.createNativeQuery("""
create or replace function returnStringArray()
returns varchar(63)[]
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
text1 text = 'one';
@ -65,7 +65,7 @@ class PostgresArrayIntegrationTest {
em.createNativeQuery("""
create or replace function returnUuidArray()
returns uuid[]
stable leakproof
stable -- leakproof
language plpgsql as $$
declare
uuid1 UUID = 'f47ac10b-58cc-4372-a567-0e02b2c3d479';