Compare commits
2 Commits
5f00a093e4
...
77aba67af9
Author | SHA1 | Date | |
---|---|---|---|
|
77aba67af9 | ||
|
a7037c4306 |
@ -110,7 +110,7 @@ end; $$;
|
|||||||
/*
|
/*
|
||||||
Returns the current user as defined by `basis.defineContext(...)`.
|
Returns the current user as defined by `basis.defineContext(...)`.
|
||||||
*/
|
*/
|
||||||
create or replace function currentUser()
|
create or replace function basis.currentUser()
|
||||||
returns varchar(63)
|
returns varchar(63)
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
@ -134,7 +134,7 @@ end; $$;
|
|||||||
Returns assumed role names as set in `hsadminng.assumedRoles`
|
Returns assumed role names as set in `hsadminng.assumedRoles`
|
||||||
or empty array, if not set.
|
or empty array, if not set.
|
||||||
*/
|
*/
|
||||||
create or replace function assumedRoles()
|
create or replace function basis.assumedRoles()
|
||||||
returns varchar(1023)[]
|
returns varchar(1023)[]
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
@ -213,11 +213,11 @@ create or replace function currentSubjects()
|
|||||||
declare
|
declare
|
||||||
assumedRoles varchar(1023)[];
|
assumedRoles varchar(1023)[];
|
||||||
begin
|
begin
|
||||||
assumedRoles := assumedRoles();
|
assumedRoles := basis.assumedRoles();
|
||||||
if array_length(assumedRoles, 1) > 0 then
|
if array_length(assumedRoles, 1) > 0 then
|
||||||
return assumedRoles;
|
return assumedRoles;
|
||||||
else
|
else
|
||||||
return array [currentUser()]::varchar(1023)[];
|
return array [basis.currentUser()]::varchar(1023)[];
|
||||||
end if;
|
end if;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
@ -226,7 +226,7 @@ create or replace function hasAssumedRole()
|
|||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
return array_length(assumedRoles(), 1) > 0;
|
return array_length(basis.assumedRoles(), 1) > 0;
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -84,7 +84,7 @@ begin
|
|||||||
insert
|
insert
|
||||||
into basis.tx_context (txId, txTimestamp, currentUser, assumedRoles, currentTask, currentRequest)
|
into basis.tx_context (txId, txTimestamp, currentUser, assumedRoles, currentTask, currentRequest)
|
||||||
values ( curTxId, now(),
|
values ( curTxId, now(),
|
||||||
currentUser(), assumedRoles(), curTask, basis.currentRequest())
|
basis.currentUser(), basis.assumedRoles(), curTask, basis.currentRequest())
|
||||||
on conflict do nothing;
|
on conflict do nothing;
|
||||||
|
|
||||||
case tg_op
|
case tg_op
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-global-historization-tx-history-txid:1 endDelimiter:--//
|
--changeset hs-global-historization-tx-history-txid:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
create or replace function tx_history_txid()
|
create or replace function basis.tx_history_txid()
|
||||||
returns xid8 stable
|
returns xid8 stable
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
@ -12,18 +12,18 @@ declare
|
|||||||
historicalTxId xid8;
|
historicalTxId xid8;
|
||||||
historicalTimestamp timestamp;
|
historicalTimestamp timestamp;
|
||||||
begin
|
begin
|
||||||
select coalesce(current_setting('hsadminng.tx_history_txid', true), '') into historicalTxIdSetting;
|
select coalesce(current_setting('hsadminng.basis.tx_history_txid', true), '') into historicalTxIdSetting;
|
||||||
select coalesce(current_setting('hsadminng.tx_history_timestamp', true), '') into historicalTimestampSetting;
|
select coalesce(current_setting('hsadminng.tx_history_timestamp', true), '') into historicalTimestampSetting;
|
||||||
if historicalTxIdSetting > '' and historicalTimestampSetting > '' then
|
if historicalTxIdSetting > '' and historicalTimestampSetting > '' then
|
||||||
raise exception 'either hsadminng.tx_history_txid or hsadminng.tx_history_timestamp must be set, but both are set: (%, %)',
|
raise exception 'either hsadminng.basis.tx_history_txid or hsadminng.tx_history_timestamp must be set, but both are set: (%, %)',
|
||||||
historicalTxIdSetting, historicalTimestampSetting;
|
historicalTxIdSetting, historicalTimestampSetting;
|
||||||
end if;
|
end if;
|
||||||
if historicalTxIdSetting = '' and historicalTimestampSetting = '' then
|
if historicalTxIdSetting = '' and historicalTimestampSetting = '' then
|
||||||
raise exception 'either hsadminng.tx_history_txid or hsadminng.tx_history_timestamp must be set, but both are unset or empty: (%, %)',
|
raise exception 'either hsadminng.basis.tx_history_txid or hsadminng.tx_history_timestamp must be set, but both are unset or empty: (%, %)',
|
||||||
historicalTxIdSetting, historicalTimestampSetting;
|
historicalTxIdSetting, historicalTimestampSetting;
|
||||||
end if;
|
end if;
|
||||||
-- just for debugging / making sure the function is only called once per query
|
-- just for debugging / making sure the function is only called once per query
|
||||||
-- raise notice 'tx_history_txid() called with: (%, %)', historicalTxIdSetting, historicalTimestampSetting;
|
-- raise notice 'basis.tx_history_txid() called with: (%, %)', historicalTxIdSetting, historicalTimestampSetting;
|
||||||
|
|
||||||
if historicalTxIdSetting is null or historicalTxIdSetting = '' then
|
if historicalTxIdSetting is null or historicalTxIdSetting = '' then
|
||||||
select historicalTimestampSetting::timestamp into historicalTimestamp;
|
select historicalTimestampSetting::timestamp into historicalTimestamp;
|
||||||
@ -40,7 +40,7 @@ end; $$;
|
|||||||
--changeset hs-global-historization-tx-historicize-tf:1 endDelimiter:--//
|
--changeset hs-global-historization-tx-historicize-tf:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
create type "tx_operation" as enum ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE');
|
create type basis.tx_operation as enum ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE');
|
||||||
|
|
||||||
create or replace function tx_historicize_tf()
|
create or replace function tx_historicize_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
@ -95,7 +95,7 @@ end; $$;
|
|||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
create or replace procedure tx_create_historicization(baseTable varchar)
|
create or replace procedure basis.tx_create_historicization(baseTable varchar)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
createHistTableSql varchar;
|
createHistTableSql varchar;
|
||||||
@ -111,7 +111,7 @@ begin
|
|||||||
'CREATE TABLE ' || baseTable || '_ex (' ||
|
'CREATE TABLE ' || baseTable || '_ex (' ||
|
||||||
' version_id serial PRIMARY KEY,' ||
|
' version_id serial PRIMARY KEY,' ||
|
||||||
' txid xid8 NOT NULL REFERENCES basis.tx_context(txid),' ||
|
' txid xid8 NOT NULL REFERENCES basis.tx_context(txid),' ||
|
||||||
' trigger_op tx_operation NOT NULL,' ||
|
' trigger_op basis.tx_operation NOT NULL,' ||
|
||||||
' alive boolean not null,' ||
|
' alive boolean not null,' ||
|
||||||
' LIKE ' || baseTable ||
|
' LIKE ' || baseTable ||
|
||||||
' EXCLUDING CONSTRAINTS' ||
|
' EXCLUDING CONSTRAINTS' ||
|
||||||
@ -132,7 +132,7 @@ begin
|
|||||||
'CREATE OR REPLACE VIEW %1$s AS' ||
|
'CREATE OR REPLACE VIEW %1$s AS' ||
|
||||||
'(' ||
|
'(' ||
|
||||||
-- make sure the function is only called once, not for every matching row in basis.tx_context
|
-- make sure the function is only called once, not for every matching row in basis.tx_context
|
||||||
' WITH txh AS (SELECT tx_history_txid() AS txid) ' ||
|
' WITH txh AS (SELECT basis.tx_history_txid() AS txid) ' ||
|
||||||
' SELECT %2$s' ||
|
' SELECT %2$s' ||
|
||||||
' FROM %3$s' ||
|
' FROM %3$s' ||
|
||||||
' WHERE alive = TRUE' ||
|
' WHERE alive = TRUE' ||
|
||||||
|
@ -12,8 +12,8 @@ declare
|
|||||||
currentSubjectsUuids uuid[];
|
currentSubjectsUuids uuid[];
|
||||||
begin
|
begin
|
||||||
-- exactly one role must be assumed, not none not more than one
|
-- exactly one role must be assumed, not none not more than one
|
||||||
if cardinality(assumedRoles()) <> 1 then
|
if cardinality(basis.assumedRoles()) <> 1 then
|
||||||
raise exception '[400] Granting roles to user is only possible if exactly one role is assumed, given: %', assumedRoles();
|
raise exception '[400] Granting roles to user is only possible if exactly one role is assumed, given: %', basis.assumedRoles();
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
currentSubjectsUuids := currentSubjectsUuids();
|
currentSubjectsUuids := currentSubjectsUuids();
|
||||||
|
@ -66,10 +66,10 @@ begin
|
|||||||
and r.roleType = roleTypeToAssume
|
and r.roleType = roleTypeToAssume
|
||||||
into roleUuidToAssume;
|
into roleUuidToAssume;
|
||||||
if roleUuidToAssume is null then
|
if roleUuidToAssume is null then
|
||||||
raise exception '[403] role % does not exist or is not accessible for user %', roleName, currentUser();
|
raise exception '[403] role % does not exist or is not accessible for user %', roleName, basis.currentUser();
|
||||||
end if;
|
end if;
|
||||||
if not isGranted(currentUserUuid, roleUuidToAssume) then
|
if not isGranted(currentUserUuid, roleUuidToAssume) then
|
||||||
raise exception '[403] user % has no permission to assume role %', currentUser(), roleName;
|
raise exception '[403] user % has no permission to assume role %', basis.currentUser(), roleName;
|
||||||
end if;
|
end if;
|
||||||
roleIdsToAssume := roleIdsToAssume || roleUuidToAssume;
|
roleIdsToAssume := roleIdsToAssume || roleUuidToAssume;
|
||||||
end loop;
|
end loop;
|
||||||
@ -132,7 +132,7 @@ begin
|
|||||||
currentUserUuid := null;
|
currentUserUuid := null;
|
||||||
end;
|
end;
|
||||||
if (currentUserUuid is null or currentUserUuid = '') then
|
if (currentUserUuid is null or currentUserUuid = '') then
|
||||||
currentUserName := currentUser();
|
currentUserName := basis.currentUser();
|
||||||
if (length(currentUserName) > 0) then
|
if (length(currentUserName) > 0) then
|
||||||
raise exception '[401] currentUserUuid cannot be determined, unknown user name "%"', currentUserName;
|
raise exception '[401] currentUserUuid cannot be determined, unknown user name "%"', currentUserName;
|
||||||
else
|
else
|
||||||
@ -166,7 +166,7 @@ begin
|
|||||||
currentSubjectsUuids := null;
|
currentSubjectsUuids := null;
|
||||||
end;
|
end;
|
||||||
if (currentSubjectsUuids is null or length(currentSubjectsUuids) = 0 ) then
|
if (currentSubjectsUuids is null or length(currentSubjectsUuids) = 0 ) then
|
||||||
currentUserName := currentUser();
|
currentUserName := basis.currentUser();
|
||||||
if (length(currentUserName) > 0) then
|
if (length(currentUserName) > 0) then
|
||||||
raise exception '[401] currentSubjectsUuids (%) cannot be determined, unknown user name "%"', currentSubjectsUuids, currentUserName;
|
raise exception '[401] currentSubjectsUuids (%) cannot be determined, unknown user name "%"', currentSubjectsUuids, currentUserName;
|
||||||
else
|
else
|
||||||
|
@ -241,7 +241,7 @@ create or replace view RbacUser_rv as
|
|||||||
union
|
union
|
||||||
select users.*
|
select users.*
|
||||||
from RbacUser as users
|
from RbacUser as users
|
||||||
where cardinality(assumedRoles()) = 0 and
|
where cardinality(basis.assumedRoles()) = 0 and
|
||||||
(currentUserUuid() = users.uuid or hasGlobalRoleGranted(currentUserUuid()))
|
(currentUserUuid() = users.uuid or hasGlobalRoleGranted(currentUserUuid()))
|
||||||
|
|
||||||
) as unordered
|
) as unordered
|
||||||
@ -303,7 +303,7 @@ begin
|
|||||||
delete from RbacUser where uuid = old.uuid;
|
delete from RbacUser where uuid = old.uuid;
|
||||||
return old;
|
return old;
|
||||||
end if;
|
end if;
|
||||||
raise exception '[403] User % not allowed to delete user uuid %', currentUser(), old.uuid;
|
raise exception '[403] User % not allowed to delete user uuid %', basis.currentUser(), old.uuid;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -354,7 +354,7 @@ begin
|
|||||||
currentUserUuid := currentUserUuid();
|
currentUserUuid := currentUserUuid();
|
||||||
|
|
||||||
if hasGlobalRoleGranted(targetUserUuid) and not hasGlobalRoleGranted(currentUserUuid) then
|
if hasGlobalRoleGranted(targetUserUuid) and not hasGlobalRoleGranted(currentUserUuid) then
|
||||||
raise exception '[403] permissions of user "%" are not accessible to user "%"', targetUserUuid, currentUser();
|
raise exception '[403] permissions of user "%" are not accessible to user "%"', targetUserUuid, basis.currentUser();
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
return query select
|
return query select
|
||||||
|
@ -25,5 +25,5 @@ call basis.create_journal('hs_booking_project');
|
|||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-booking-project-MAIN-TABLE-HISTORIZATION:1 endDelimiter:--//
|
--changeset hs-booking-project-MAIN-TABLE-HISTORIZATION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
call tx_create_historicization('hs_booking_project');
|
call basis.tx_create_historicization('hs_booking_project');
|
||||||
--//
|
--//
|
||||||
|
@ -42,6 +42,6 @@ call basis.create_journal('hs_booking_item');
|
|||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-booking-item-MAIN-TABLE-HISTORIZATION:1 endDelimiter:--//
|
--changeset hs-booking-item-MAIN-TABLE-HISTORIZATION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
call tx_create_historicization('hs_booking_item');
|
call basis.tx_create_historicization('hs_booking_item');
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -173,7 +173,7 @@ call basis.create_journal('hs_hosting_asset');
|
|||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-hosting-asset-MAIN-TABLE-HISTORIZATION:1 endDelimiter:--//
|
--changeset hs-hosting-asset-MAIN-TABLE-HISTORIZATION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
call tx_create_historicization('hs_hosting_asset');
|
call basis.tx_create_historicization('hs_hosting_asset');
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
@ -52,7 +52,7 @@ public abstract class ContextBasedTest {
|
|||||||
protected void historicalContext(final Long txId) {
|
protected void historicalContext(final Long txId) {
|
||||||
// set local cannot be used with query parameters
|
// set local cannot be used with query parameters
|
||||||
em.createNativeQuery("""
|
em.createNativeQuery("""
|
||||||
set local hsadminng.tx_history_txid to ':txid';
|
set local hsadminng.basis.tx_history_txid to ':txid';
|
||||||
""".replace(":txid", txId.toString())).executeUpdate();
|
""".replace(":txid", txId.toString())).executeUpdate();
|
||||||
em.createNativeQuery("""
|
em.createNativeQuery("""
|
||||||
set local hsadminng.tx_history_timestamp to '';
|
set local hsadminng.tx_history_timestamp to '';
|
||||||
@ -66,7 +66,7 @@ public abstract class ContextBasedTest {
|
|||||||
set local hsadminng.tx_history_timestamp to ':timestamp';
|
set local hsadminng.tx_history_timestamp to ':timestamp';
|
||||||
""".replace(":timestamp", txTimestamp.toString())).executeUpdate();
|
""".replace(":timestamp", txTimestamp.toString())).executeUpdate();
|
||||||
em.createNativeQuery("""
|
em.createNativeQuery("""
|
||||||
set local hsadminng.tx_history_txid to '';
|
set local hsadminng.basis.tx_history_txid to '';
|
||||||
""").executeUpdate();
|
""").executeUpdate();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user