rbac.RoleDescriptor, rbac.assumed(), rbac.unassumed()
This commit is contained in:
parent
de570c3dd4
commit
dfcf22658c
@ -128,7 +128,7 @@ end; $$;
|
|||||||
--//
|
--//
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset context-ASSUMED-ROLES:1 endDelimiter:--//
|
--changeset context-base.ASSUMED-ROLES:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Returns assumed role names as set in `hsadminng.assumedRoles`
|
Returns assumed role names as set in `hsadminng.assumedRoles`
|
||||||
|
@ -6,19 +6,19 @@
|
|||||||
/*
|
/*
|
||||||
|
|
||||||
*/
|
*/
|
||||||
create type rbac.referenceType as enum ('rbac.subject', 'rbac.role', 'rbac.permission');
|
create type rbac.ReferenceType as enum ('rbac.subject', 'rbac.role', 'rbac.permission');
|
||||||
|
|
||||||
create table rbac.reference
|
create table rbac.reference
|
||||||
(
|
(
|
||||||
uuid uuid unique default uuid_generate_v4(),
|
uuid uuid unique default uuid_generate_v4(),
|
||||||
type rbac.referenceType not null
|
type rbac.ReferenceType not null
|
||||||
);
|
);
|
||||||
|
|
||||||
create or replace function rbac.assertReferenceType(argument varchar, referenceId uuid, expectedType rbac.referenceType)
|
create or replace function rbac.assertReferenceType(argument varchar, referenceId uuid, expectedType rbac.ReferenceType)
|
||||||
returns rbac.referenceType
|
returns rbac.ReferenceType
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
actualType rbac.referenceType;
|
actualType rbac.ReferenceType;
|
||||||
begin
|
begin
|
||||||
if referenceId is null then
|
if referenceId is null then
|
||||||
raise exception '% must be a % and not null', argument, expectedType;
|
raise exception '% must be a % and not null', argument, expectedType;
|
||||||
@ -161,9 +161,6 @@ end; $$;
|
|||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-base-ROLE:1 endDelimiter:--//
|
--changeset rbac-base-ROLE:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
|
||||||
|
|
||||||
*/
|
|
||||||
|
|
||||||
create type rbac.RoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST', 'REFERRER');
|
create type rbac.RoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST', 'REFERRER');
|
||||||
|
|
||||||
@ -177,7 +174,7 @@ create table rbac.role
|
|||||||
|
|
||||||
call base.create_journal('rbac.role');
|
call base.create_journal('rbac.role');
|
||||||
|
|
||||||
create type RbacRoleDescriptor as
|
create type rbac.RoleDescriptor as
|
||||||
(
|
(
|
||||||
objectTable varchar(63), -- for human readability and easier debugging
|
objectTable varchar(63), -- for human readability and easier debugging
|
||||||
objectUuid uuid,
|
objectUuid uuid,
|
||||||
@ -185,14 +182,14 @@ create type RbacRoleDescriptor as
|
|||||||
assumed boolean
|
assumed boolean
|
||||||
);
|
);
|
||||||
|
|
||||||
create or replace function assumed()
|
create or replace function rbac.assumed()
|
||||||
returns boolean
|
returns boolean
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select true;
|
select true;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
create or replace function unassumed()
|
create or replace function rbac.unassumed()
|
||||||
returns boolean
|
returns boolean
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
@ -203,14 +200,14 @@ $$;
|
|||||||
create or replace function roleDescriptor(
|
create or replace function roleDescriptor(
|
||||||
objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType,
|
objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType,
|
||||||
assumed boolean = true) -- just for DSL readability, belongs actually to the grant
|
assumed boolean = true) -- just for DSL readability, belongs actually to the grant
|
||||||
returns RbacRoleDescriptor
|
returns rbac.RoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select objectTable, objectUuid, roleType::rbac.RoleType, assumed;
|
select objectTable, objectUuid, roleType::rbac.RoleType, assumed;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
create or replace function createRole(roleDescriptor RbacRoleDescriptor)
|
create or replace function createRole(roleDescriptor rbac.RoleDescriptor)
|
||||||
returns uuid
|
returns uuid
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
@ -264,14 +261,14 @@ begin
|
|||||||
return roleUuid;
|
return roleUuid;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function findRoleId(roleDescriptor RbacRoleDescriptor)
|
create or replace function findRoleId(roleDescriptor rbac.RoleDescriptor)
|
||||||
returns uuid
|
returns uuid
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType;
|
select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
create or replace function getRoleId(roleDescriptor RbacRoleDescriptor)
|
create or replace function getRoleId(roleDescriptor rbac.RoleDescriptor)
|
||||||
returns uuid
|
returns uuid
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
@ -602,7 +599,7 @@ begin
|
|||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc RbacRoleDescriptor)
|
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
call grantPermissionToRole(permissionUuid, findRoleId(roleDesc));
|
call grantPermissionToRole(permissionUuid, findRoleId(roleDesc));
|
||||||
@ -626,7 +623,7 @@ begin
|
|||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
|
||||||
create or replace procedure grantRoleToRole(subRole RbacRoleDescriptor, superRole RbacRoleDescriptor, doAssume bool = true)
|
create or replace procedure grantRoleToRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor, doAssume bool = true)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
superRoleId uuid;
|
superRoleId uuid;
|
||||||
@ -653,7 +650,7 @@ begin
|
|||||||
on conflict do nothing; -- allow granting multiple times
|
on conflict do nothing; -- allow granting multiple times
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace procedure revokeRoleFromRole(subRole RbacRoleDescriptor, superRole RbacRoleDescriptor)
|
create or replace procedure revokeRoleFromRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
superRoleId uuid;
|
superRoleId uuid;
|
||||||
@ -673,7 +670,7 @@ begin
|
|||||||
end if;
|
end if;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor)
|
create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole rbac.RoleDescriptor)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
superRoleId uuid;
|
superRoleId uuid;
|
||||||
|
@ -114,7 +114,7 @@ create or replace view rbacgrants_ev as
|
|||||||
*/
|
*/
|
||||||
drop view if exists rbacgrants_rv;
|
drop view if exists rbacgrants_rv;
|
||||||
create or replace view rbacgrants_rv as
|
create or replace view rbacgrants_rv as
|
||||||
-- @formatter:off
|
-- @formatter:off
|
||||||
select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||||
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
||||||
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid,
|
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid,
|
||||||
|
@ -7,12 +7,12 @@
|
|||||||
-- -----------------------------------------------------------------
|
-- -----------------------------------------------------------------
|
||||||
|
|
||||||
create or replace function rbac.defineRoleWithGrants(
|
create or replace function rbac.defineRoleWithGrants(
|
||||||
roleDescriptor RbacRoleDescriptor,
|
roleDescriptor rbac.RoleDescriptor,
|
||||||
permissions RbacOp[] = array[]::RbacOp[],
|
permissions RbacOp[] = array[]::RbacOp[],
|
||||||
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
|
incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
|
||||||
outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
|
outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
|
||||||
subjectUuids uuid[] = array[]::uuid[],
|
subjectUuids uuid[] = array[]::uuid[],
|
||||||
grantedByRole RbacRoleDescriptor = null
|
grantedByRole rbac.RoleDescriptor = null
|
||||||
)
|
)
|
||||||
returns uuid
|
returns uuid
|
||||||
called on null input
|
called on null input
|
||||||
@ -21,8 +21,8 @@ declare
|
|||||||
roleUuid uuid;
|
roleUuid uuid;
|
||||||
permission RbacOp;
|
permission RbacOp;
|
||||||
permissionUuid uuid;
|
permissionUuid uuid;
|
||||||
subRoleDesc RbacRoleDescriptor;
|
subRoleDesc rbac.RoleDescriptor;
|
||||||
superRoleDesc RbacRoleDescriptor;
|
superRoleDesc rbac.RoleDescriptor;
|
||||||
subRoleUuid uuid;
|
subRoleUuid uuid;
|
||||||
superRoleUuid uuid;
|
superRoleUuid uuid;
|
||||||
subjectUuid uuid;
|
subjectUuid uuid;
|
||||||
|
@ -42,7 +42,7 @@ declare
|
|||||||
begin
|
begin
|
||||||
sql = format($sql$
|
sql = format($sql$
|
||||||
create or replace function %1$sOwner(entity %2$s, assumed boolean = true)
|
create or replace function %1$sOwner(entity %2$s, assumed boolean = true)
|
||||||
returns RbacRoleDescriptor
|
returns rbac.RoleDescriptor
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $f$
|
strict as $f$
|
||||||
begin
|
begin
|
||||||
@ -50,7 +50,7 @@ begin
|
|||||||
end; $f$;
|
end; $f$;
|
||||||
|
|
||||||
create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
|
create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
|
||||||
returns RbacRoleDescriptor
|
returns rbac.RoleDescriptor
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $f$
|
strict as $f$
|
||||||
begin
|
begin
|
||||||
@ -58,7 +58,7 @@ begin
|
|||||||
end; $f$;
|
end; $f$;
|
||||||
|
|
||||||
create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
|
create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
|
||||||
returns RbacRoleDescriptor
|
returns rbac.RoleDescriptor
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $f$
|
strict as $f$
|
||||||
begin
|
begin
|
||||||
@ -66,7 +66,7 @@ begin
|
|||||||
end; $f$;
|
end; $f$;
|
||||||
|
|
||||||
create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
|
create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
|
||||||
returns RbacRoleDescriptor
|
returns rbac.RoleDescriptor
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $f$
|
strict as $f$
|
||||||
begin
|
begin
|
||||||
@ -75,7 +75,7 @@ begin
|
|||||||
|
|
||||||
-- TODO: remove guest role
|
-- TODO: remove guest role
|
||||||
create or replace function %1$sGuest(entity %2$s, assumed boolean = true)
|
create or replace function %1$sGuest(entity %2$s, assumed boolean = true)
|
||||||
returns RbacRoleDescriptor
|
returns rbac.RoleDescriptor
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $f$
|
strict as $f$
|
||||||
begin
|
begin
|
||||||
@ -83,7 +83,7 @@ begin
|
|||||||
end; $f$;
|
end; $f$;
|
||||||
|
|
||||||
create or replace function %1$sReferrer(entity %2$s)
|
create or replace function %1$sReferrer(entity %2$s)
|
||||||
returns RbacRoleDescriptor
|
returns rbac.RoleDescriptor
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $f$
|
strict as $f$
|
||||||
begin
|
begin
|
||||||
|
@ -110,7 +110,7 @@ commit;
|
|||||||
A rbac.Global administrator role.
|
A rbac.Global administrator role.
|
||||||
*/
|
*/
|
||||||
create or replace function globalAdmin(assumed boolean = true)
|
create or replace function globalAdmin(assumed boolean = true)
|
||||||
returns RbacRoleDescriptor
|
returns rbac.RoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
@ -131,7 +131,7 @@ commit;
|
|||||||
A rbac.Global guest role.
|
A rbac.Global guest role.
|
||||||
*/
|
*/
|
||||||
create or replace function globalGuest(assumed boolean = true)
|
create or replace function globalGuest(assumed boolean = true)
|
||||||
returns RbacRoleDescriptor
|
returns rbac.RoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
@ -149,7 +149,7 @@ commit;
|
|||||||
--changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
--changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Create two users and assign both to the administrators role.
|
Create two users and assign both to the administrators' role.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
|
@ -37,7 +37,7 @@ begin
|
|||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
testCustomerOWNER(NEW),
|
testCustomerOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN(unassumed())],
|
incomingSuperRoles => array[globalADMIN(rbac.unassumed())],
|
||||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -49,7 +49,7 @@ begin
|
|||||||
|
|
||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
hsBookingProjectOWNER(NEW),
|
hsBookingProjectOWNER(NEW),
|
||||||
incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, unassumed())]
|
incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, rbac.unassumed())]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
|
@ -50,7 +50,7 @@ begin
|
|||||||
hsHostingAssetOWNER(NEW),
|
hsHostingAssetOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[
|
incomingSuperRoles => array[
|
||||||
globalADMIN(unassumed()),
|
globalADMIN(rbac.unassumed()),
|
||||||
hsBookingItemADMIN(newBookingItem),
|
hsBookingItemADMIN(newBookingItem),
|
||||||
hsHostingAssetADMIN(newParentAsset)],
|
hsHostingAssetADMIN(newParentAsset)],
|
||||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
|
Loading…
Reference in New Issue
Block a user