rbac.RoleDescriptor, rbac.assumed(), rbac.unassumed()

This commit is contained in:
Michael Hoennig 2024-09-14 06:06:54 +02:00
parent de570c3dd4
commit dfcf22658c
9 changed files with 36 additions and 39 deletions

View File

@ -128,7 +128,7 @@ end; $$;
--// --//
-- ============================================================================ -- ============================================================================
--changeset context-ASSUMED-ROLES:1 endDelimiter:--// --changeset context-base.ASSUMED-ROLES:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Returns assumed role names as set in `hsadminng.assumedRoles` Returns assumed role names as set in `hsadminng.assumedRoles`

View File

@ -6,19 +6,19 @@
/* /*
*/ */
create type rbac.referenceType as enum ('rbac.subject', 'rbac.role', 'rbac.permission'); create type rbac.ReferenceType as enum ('rbac.subject', 'rbac.role', 'rbac.permission');
create table rbac.reference create table rbac.reference
( (
uuid uuid unique default uuid_generate_v4(), uuid uuid unique default uuid_generate_v4(),
type rbac.referenceType not null type rbac.ReferenceType not null
); );
create or replace function rbac.assertReferenceType(argument varchar, referenceId uuid, expectedType rbac.referenceType) create or replace function rbac.assertReferenceType(argument varchar, referenceId uuid, expectedType rbac.ReferenceType)
returns rbac.referenceType returns rbac.ReferenceType
language plpgsql as $$ language plpgsql as $$
declare declare
actualType rbac.referenceType; actualType rbac.ReferenceType;
begin begin
if referenceId is null then if referenceId is null then
raise exception '% must be a % and not null', argument, expectedType; raise exception '% must be a % and not null', argument, expectedType;
@ -161,9 +161,6 @@ end; $$;
-- ============================================================================ -- ============================================================================
--changeset rbac-base-ROLE:1 endDelimiter:--// --changeset rbac-base-ROLE:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/*
*/
create type rbac.RoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST', 'REFERRER'); create type rbac.RoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST', 'REFERRER');
@ -177,7 +174,7 @@ create table rbac.role
call base.create_journal('rbac.role'); call base.create_journal('rbac.role');
create type RbacRoleDescriptor as create type rbac.RoleDescriptor as
( (
objectTable varchar(63), -- for human readability and easier debugging objectTable varchar(63), -- for human readability and easier debugging
objectUuid uuid, objectUuid uuid,
@ -185,14 +182,14 @@ create type RbacRoleDescriptor as
assumed boolean assumed boolean
); );
create or replace function assumed() create or replace function rbac.assumed()
returns boolean returns boolean
stable -- leakproof stable -- leakproof
language sql as $$ language sql as $$
select true; select true;
$$; $$;
create or replace function unassumed() create or replace function rbac.unassumed()
returns boolean returns boolean
stable -- leakproof stable -- leakproof
language sql as $$ language sql as $$
@ -203,14 +200,14 @@ $$;
create or replace function roleDescriptor( create or replace function roleDescriptor(
objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType, objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType,
assumed boolean = true) -- just for DSL readability, belongs actually to the grant assumed boolean = true) -- just for DSL readability, belongs actually to the grant
returns RbacRoleDescriptor returns rbac.RoleDescriptor
returns null on null input returns null on null input
stable -- leakproof stable -- leakproof
language sql as $$ language sql as $$
select objectTable, objectUuid, roleType::rbac.RoleType, assumed; select objectTable, objectUuid, roleType::rbac.RoleType, assumed;
$$; $$;
create or replace function createRole(roleDescriptor RbacRoleDescriptor) create or replace function createRole(roleDescriptor rbac.RoleDescriptor)
returns uuid returns uuid
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
@ -264,14 +261,14 @@ begin
return roleUuid; return roleUuid;
end; $$; end; $$;
create or replace function findRoleId(roleDescriptor RbacRoleDescriptor) create or replace function findRoleId(roleDescriptor rbac.RoleDescriptor)
returns uuid returns uuid
returns null on null input returns null on null input
language sql as $$ language sql as $$
select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType; select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType;
$$; $$;
create or replace function getRoleId(roleDescriptor RbacRoleDescriptor) create or replace function getRoleId(roleDescriptor rbac.RoleDescriptor)
returns uuid returns uuid
language plpgsql as $$ language plpgsql as $$
declare declare
@ -602,7 +599,7 @@ begin
end; end;
$$; $$;
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc RbacRoleDescriptor) create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
language plpgsql as $$ language plpgsql as $$
begin begin
call grantPermissionToRole(permissionUuid, findRoleId(roleDesc)); call grantPermissionToRole(permissionUuid, findRoleId(roleDesc));
@ -626,7 +623,7 @@ begin
end; $$; end; $$;
create or replace procedure grantRoleToRole(subRole RbacRoleDescriptor, superRole RbacRoleDescriptor, doAssume bool = true) create or replace procedure grantRoleToRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor, doAssume bool = true)
language plpgsql as $$ language plpgsql as $$
declare declare
superRoleId uuid; superRoleId uuid;
@ -653,7 +650,7 @@ begin
on conflict do nothing; -- allow granting multiple times on conflict do nothing; -- allow granting multiple times
end; $$; end; $$;
create or replace procedure revokeRoleFromRole(subRole RbacRoleDescriptor, superRole RbacRoleDescriptor) create or replace procedure revokeRoleFromRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor)
language plpgsql as $$ language plpgsql as $$
declare declare
superRoleId uuid; superRoleId uuid;
@ -673,7 +670,7 @@ begin
end if; end if;
end; $$; end; $$;
create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor) create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole rbac.RoleDescriptor)
language plpgsql as $$ language plpgsql as $$
declare declare
superRoleId uuid; superRoleId uuid;

View File

@ -114,7 +114,7 @@ create or replace view rbacgrants_ev as
*/ */
drop view if exists rbacgrants_rv; drop view if exists rbacgrants_rv;
create or replace view rbacgrants_rv as create or replace view rbacgrants_rv as
-- @formatter:off -- @formatter:off
select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName, select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed, g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid, g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid,

View File

@ -7,12 +7,12 @@
-- ----------------------------------------------------------------- -- -----------------------------------------------------------------
create or replace function rbac.defineRoleWithGrants( create or replace function rbac.defineRoleWithGrants(
roleDescriptor RbacRoleDescriptor, roleDescriptor rbac.RoleDescriptor,
permissions RbacOp[] = array[]::RbacOp[], permissions RbacOp[] = array[]::RbacOp[],
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[], incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[], outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
subjectUuids uuid[] = array[]::uuid[], subjectUuids uuid[] = array[]::uuid[],
grantedByRole RbacRoleDescriptor = null grantedByRole rbac.RoleDescriptor = null
) )
returns uuid returns uuid
called on null input called on null input
@ -21,8 +21,8 @@ declare
roleUuid uuid; roleUuid uuid;
permission RbacOp; permission RbacOp;
permissionUuid uuid; permissionUuid uuid;
subRoleDesc RbacRoleDescriptor; subRoleDesc rbac.RoleDescriptor;
superRoleDesc RbacRoleDescriptor; superRoleDesc rbac.RoleDescriptor;
subRoleUuid uuid; subRoleUuid uuid;
superRoleUuid uuid; superRoleUuid uuid;
subjectUuid uuid; subjectUuid uuid;

View File

@ -42,7 +42,7 @@ declare
begin begin
sql = format($sql$ sql = format($sql$
create or replace function %1$sOwner(entity %2$s, assumed boolean = true) create or replace function %1$sOwner(entity %2$s, assumed boolean = true)
returns RbacRoleDescriptor returns rbac.RoleDescriptor
language plpgsql language plpgsql
strict as $f$ strict as $f$
begin begin
@ -50,7 +50,7 @@ begin
end; $f$; end; $f$;
create or replace function %1$sAdmin(entity %2$s, assumed boolean = true) create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
returns RbacRoleDescriptor returns rbac.RoleDescriptor
language plpgsql language plpgsql
strict as $f$ strict as $f$
begin begin
@ -58,7 +58,7 @@ begin
end; $f$; end; $f$;
create or replace function %1$sAgent(entity %2$s, assumed boolean = true) create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
returns RbacRoleDescriptor returns rbac.RoleDescriptor
language plpgsql language plpgsql
strict as $f$ strict as $f$
begin begin
@ -66,7 +66,7 @@ begin
end; $f$; end; $f$;
create or replace function %1$sTenant(entity %2$s, assumed boolean = true) create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
returns RbacRoleDescriptor returns rbac.RoleDescriptor
language plpgsql language plpgsql
strict as $f$ strict as $f$
begin begin
@ -75,7 +75,7 @@ begin
-- TODO: remove guest role -- TODO: remove guest role
create or replace function %1$sGuest(entity %2$s, assumed boolean = true) create or replace function %1$sGuest(entity %2$s, assumed boolean = true)
returns RbacRoleDescriptor returns rbac.RoleDescriptor
language plpgsql language plpgsql
strict as $f$ strict as $f$
begin begin
@ -83,7 +83,7 @@ begin
end; $f$; end; $f$;
create or replace function %1$sReferrer(entity %2$s) create or replace function %1$sReferrer(entity %2$s)
returns RbacRoleDescriptor returns rbac.RoleDescriptor
language plpgsql language plpgsql
strict as $f$ strict as $f$
begin begin

View File

@ -110,7 +110,7 @@ commit;
A rbac.Global administrator role. A rbac.Global administrator role.
*/ */
create or replace function globalAdmin(assumed boolean = true) create or replace function globalAdmin(assumed boolean = true)
returns RbacRoleDescriptor returns rbac.RoleDescriptor
returns null on null input returns null on null input
stable -- leakproof stable -- leakproof
language sql as $$ language sql as $$
@ -131,7 +131,7 @@ commit;
A rbac.Global guest role. A rbac.Global guest role.
*/ */
create or replace function globalGuest(assumed boolean = true) create or replace function globalGuest(assumed boolean = true)
returns RbacRoleDescriptor returns rbac.RoleDescriptor
returns null on null input returns null on null input
stable -- leakproof stable -- leakproof
language sql as $$ language sql as $$
@ -149,7 +149,7 @@ commit;
--changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--// --changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Create two users and assign both to the administrators role. Create two users and assign both to the administrators' role.
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
testCustomerOWNER(NEW), testCustomerOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN(unassumed())], incomingSuperRoles => array[globalADMIN(rbac.unassumed())],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );

View File

@ -49,7 +49,7 @@ begin
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
hsBookingProjectOWNER(NEW), hsBookingProjectOWNER(NEW),
incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, unassumed())] incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, rbac.unassumed())]
); );
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(

View File

@ -50,7 +50,7 @@ begin
hsHostingAssetOWNER(NEW), hsHostingAssetOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[ incomingSuperRoles => array[
globalADMIN(unassumed()), globalADMIN(rbac.unassumed()),
hsBookingItemADMIN(newBookingItem), hsBookingItemADMIN(newBookingItem),
hsHostingAssetADMIN(newParentAsset)], hsHostingAssetADMIN(newParentAsset)],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]