Compare commits
No commits in common. "607a6c9424e031c05c9392aa7375e0dfb61e53f5" and "496cdf295b60f1d9ffb89baa7ec6b49826d9c05d" have entirely different histories.
607a6c9424
...
496cdf295b
@ -41,8 +41,6 @@ begin
|
|||||||
assumedRoles := coalesce(assumedRoles, '');
|
assumedRoles := coalesce(assumedRoles, '');
|
||||||
execute format('set local hsadminng.assumedRoles to %L', assumedRoles);
|
execute format('set local hsadminng.assumedRoles to %L', assumedRoles);
|
||||||
|
|
||||||
SET CONSTRAINTS ALL DEFERRED;
|
|
||||||
|
|
||||||
call contextDefined(currentTask, currentRequest, currentUser, assumedRoles);
|
call contextDefined(currentTask, currentRequest, currentUser, assumedRoles);
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
|
@ -452,13 +452,12 @@ $$;
|
|||||||
create table RbacGrants
|
create table RbacGrants
|
||||||
(
|
(
|
||||||
uuid uuid primary key default uuid_generate_v4(),
|
uuid uuid primary key default uuid_generate_v4(),
|
||||||
grantedByTriggerOf uuid references RbacObject (uuid) on delete cascade initially deferred ,
|
|
||||||
grantedByRoleUuid uuid references RbacRole (uuid),
|
grantedByRoleUuid uuid references RbacRole (uuid),
|
||||||
ascendantUuid uuid references RbacReference (uuid),
|
ascendantUuid uuid references RbacReference (uuid),
|
||||||
descendantUuid uuid references RbacReference (uuid),
|
descendantUuid uuid references RbacReference (uuid),
|
||||||
assumed boolean not null default true, -- auto assumed (true) vs. needs assumeRoles (false)
|
assumed boolean not null default true, -- auto assumed (true) vs. needs assumeRoles (false)
|
||||||
unique (ascendantUuid, descendantUuid),
|
unique (ascendantUuid, descendantUuid)
|
||||||
constraint rbacGrant_createdBy check ( grantedByRoleUuid is null or grantedByTriggerOf is null) );
|
);
|
||||||
create index on RbacGrants (ascendantUuid);
|
create index on RbacGrants (ascendantUuid);
|
||||||
create index on RbacGrants (descendantUuid);
|
create index on RbacGrants (descendantUuid);
|
||||||
|
|
||||||
@ -562,8 +561,8 @@ begin
|
|||||||
perform assertReferenceType('permissionId (descendant)', permissionIds[i], 'RbacPermission');
|
perform assertReferenceType('permissionId (descendant)', permissionIds[i], 'RbacPermission');
|
||||||
|
|
||||||
insert
|
insert
|
||||||
into RbacGrants (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed)
|
into RbacGrants (ascendantUuid, descendantUuid, assumed)
|
||||||
values (currentTriggerObjectUuid(), roleUuid, permissionIds[i], true)
|
values (roleUuid, permissionIds[i], true)
|
||||||
on conflict do nothing; -- allow granting multiple times
|
on conflict do nothing; -- allow granting multiple times
|
||||||
end loop;
|
end loop;
|
||||||
end;
|
end;
|
||||||
@ -580,8 +579,8 @@ begin
|
|||||||
end if;
|
end if;
|
||||||
|
|
||||||
insert
|
insert
|
||||||
into RbacGrants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
|
into RbacGrants (ascendantuuid, descendantUuid, assumed)
|
||||||
values (currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume)
|
values (superRoleId, subRoleId, doAssume)
|
||||||
on conflict do nothing; -- allow granting multiple times
|
on conflict do nothing; -- allow granting multiple times
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
@ -603,8 +602,8 @@ begin
|
|||||||
end if;
|
end if;
|
||||||
|
|
||||||
insert
|
insert
|
||||||
into RbacGrants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
|
into RbacGrants (ascendantuuid, descendantUuid, assumed)
|
||||||
values (currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume)
|
values (superRoleId, subRoleId, doAssume)
|
||||||
on conflict do nothing; -- allow granting multiple times
|
on conflict do nothing; -- allow granting multiple times
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
@ -626,8 +625,8 @@ begin
|
|||||||
end if;
|
end if;
|
||||||
|
|
||||||
insert
|
insert
|
||||||
into RbacGrants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
|
into RbacGrants (ascendantuuid, descendantUuid, assumed)
|
||||||
values (currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume)
|
values (superRoleId, subRoleId, doAssume)
|
||||||
on conflict do nothing; -- allow granting multiple times
|
on conflict do nothing; -- allow granting multiple times
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
@ -56,7 +56,6 @@ drop view if exists rbacgrants_ev;
|
|||||||
create or replace view rbacgrants_ev as
|
create or replace view rbacgrants_ev as
|
||||||
-- @formatter:off
|
-- @formatter:off
|
||||||
select x.grantUuid as uuid,
|
select x.grantUuid as uuid,
|
||||||
x.grantedByTriggerOf as grantedByTriggerOf,
|
|
||||||
go.objectTable || '#' || findIdNameByObjectUuid(go.objectTable, go.uuid) || '.' || r.roletype as grantedByRoleIdName,
|
go.objectTable || '#' || findIdNameByObjectUuid(go.objectTable, go.uuid) || '.' || r.roletype as grantedByRoleIdName,
|
||||||
x.ascendingIdName as ascendantIdName,
|
x.ascendingIdName as ascendantIdName,
|
||||||
x.descendingIdName as descendantIdName,
|
x.descendingIdName as descendantIdName,
|
||||||
@ -66,7 +65,6 @@ create or replace view rbacgrants_ev as
|
|||||||
x.assumed
|
x.assumed
|
||||||
from (
|
from (
|
||||||
select g.uuid as grantUuid,
|
select g.uuid as grantUuid,
|
||||||
g.grantedbytriggerof as grantedbytriggerof,
|
|
||||||
g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
|
g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
|
||||||
|
|
||||||
coalesce(
|
coalesce(
|
||||||
|
@ -1,61 +0,0 @@
|
|||||||
--liquibase formatted sql
|
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset rbac-trigger-context-ENTER:1 endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
|
|
||||||
create or replace procedure enterTriggerForObjectUuid(currentObjectUuid uuid)
|
|
||||||
language plpgsql as $$
|
|
||||||
declare
|
|
||||||
existingObjectUuid text;
|
|
||||||
begin
|
|
||||||
existingObjectUuid = current_setting('hsadminng.currentObjectUuid', true);
|
|
||||||
if (existingObjectUuid > '' ) then
|
|
||||||
raise exception '[500] currentObjectUuid already defined, already in trigger of "%"', existingObjectUuid;
|
|
||||||
end if;
|
|
||||||
execute format('set local hsadminng.currentObjectUuid to %L', currentObjectUuid);
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset rbac-trigger-context-CURRENT-ID:1 endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
/*
|
|
||||||
Returns the uuid of the object uuid whose trigger is currently executed as set via `enterTriggerForObjectUuid(...)`.
|
|
||||||
*/
|
|
||||||
|
|
||||||
create or replace function currentTriggerObjectUuid()
|
|
||||||
returns uuid
|
|
||||||
stable -- leakproof
|
|
||||||
language plpgsql as $$
|
|
||||||
declare
|
|
||||||
currentObjectUuid uuid;
|
|
||||||
begin
|
|
||||||
begin
|
|
||||||
currentObjectUuid = current_setting('hsadminng.currentObjectUuid')::uuid;
|
|
||||||
return currentObjectUuid;
|
|
||||||
exception
|
|
||||||
when others then
|
|
||||||
return null::uuid;
|
|
||||||
end;
|
|
||||||
end; $$;
|
|
||||||
--//
|
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset rbac-trigger-context-LEAVE:1 endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
|
|
||||||
create or replace procedure leaveTriggerForObjectUuid(currentObjectUuid uuid)
|
|
||||||
language plpgsql as $$
|
|
||||||
declare
|
|
||||||
existingObjectUuid uuid;
|
|
||||||
begin
|
|
||||||
existingObjectUuid = current_setting('hsadminng.currentObjectUuid', true);
|
|
||||||
if ( existingObjectUuid <> currentObjectUuid ) then
|
|
||||||
raise exception '[500] currentObjectUuid does not match: "%"', existingObjectUuid;
|
|
||||||
end if;
|
|
||||||
execute format('reset hsadminng.currentObjectUuid');
|
|
||||||
end; $$;
|
|
||||||
|
|
@ -34,8 +34,6 @@ begin
|
|||||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
|
||||||
|
|
||||||
-- the owner role with full access for Hostsharing administrators
|
-- the owner role with full access for Hostsharing administrators
|
||||||
testCustomerOwnerUuid = createRoleWithGrants(
|
testCustomerOwnerUuid = createRoleWithGrants(
|
||||||
testCustomerOwner(NEW),
|
testCustomerOwner(NEW),
|
||||||
@ -61,7 +59,6 @@ begin
|
|||||||
permissions => array['view']
|
permissions => array['view']
|
||||||
);
|
);
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
@ -26,13 +26,13 @@ create or replace function createRbacRolesForTestPackage()
|
|||||||
strict as $$
|
strict as $$
|
||||||
declare
|
declare
|
||||||
parentCustomer test_customer;
|
parentCustomer test_customer;
|
||||||
|
packageOwnerRoleUuid uuid;
|
||||||
|
packageAdminRoleUuid uuid;
|
||||||
begin
|
begin
|
||||||
if TG_OP <> 'INSERT' then
|
if TG_OP <> 'INSERT' then
|
||||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
|
||||||
|
|
||||||
select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer;
|
select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer;
|
||||||
|
|
||||||
-- an owner role is created and assigned to the customer's admin role
|
-- an owner role is created and assigned to the customer's admin role
|
||||||
@ -57,7 +57,6 @@ begin
|
|||||||
outgoingSubRoles => array[testCustomerTenant(parentCustomer)]
|
outgoingSubRoles => array[testCustomerTenant(parentCustomer)]
|
||||||
);
|
);
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
@ -53,8 +53,6 @@ begin
|
|||||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
|
||||||
|
|
||||||
select * from test_package where uuid = NEW.packageUuid into parentPackage;
|
select * from test_package where uuid = NEW.packageUuid into parentPackage;
|
||||||
|
|
||||||
-- an owner role is created and assigned to the package's admin group
|
-- an owner role is created and assigned to the package's admin group
|
||||||
@ -74,7 +72,6 @@ begin
|
|||||||
|
|
||||||
-- a tenent role is only created on demand
|
-- a tenent role is only created on demand
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
@ -33,7 +33,6 @@ declare
|
|||||||
oldContact hs_office_contact;
|
oldContact hs_office_contact;
|
||||||
newContact hs_office_contact;
|
newContact hs_office_contact;
|
||||||
begin
|
begin
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
|
||||||
|
|
||||||
hsOfficeRelationshipTenant := hsOfficeRelationshipTenant(NEW);
|
hsOfficeRelationshipTenant := hsOfficeRelationshipTenant(NEW);
|
||||||
|
|
||||||
@ -97,7 +96,6 @@ begin
|
|||||||
raise exception 'invalid usage of TRIGGER';
|
raise exception 'invalid usage of TRIGGER';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
@ -36,7 +36,6 @@ declare
|
|||||||
oldContact hs_office_contact;
|
oldContact hs_office_contact;
|
||||||
newContact hs_office_contact;
|
newContact hs_office_contact;
|
||||||
begin
|
begin
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
|
||||||
|
|
||||||
select * from hs_office_relationship as r where r.uuid = NEW.partnerroleuuid into newPartnerRole;
|
select * from hs_office_relationship as r where r.uuid = NEW.partnerroleuuid into newPartnerRole;
|
||||||
select * from hs_office_person as p where p.uuid = NEW.personUuid into newPerson;
|
select * from hs_office_person as p where p.uuid = NEW.personUuid into newPerson;
|
||||||
@ -160,7 +159,6 @@ begin
|
|||||||
raise exception 'invalid usage of TRIGGER';
|
raise exception 'invalid usage of TRIGGER';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
@ -30,7 +30,6 @@ declare
|
|||||||
newHsOfficeDebitor hs_office_debitor;
|
newHsOfficeDebitor hs_office_debitor;
|
||||||
newHsOfficeBankAccount hs_office_bankAccount;
|
newHsOfficeBankAccount hs_office_bankAccount;
|
||||||
begin
|
begin
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
|
||||||
|
|
||||||
select * from hs_office_debitor as p where p.uuid = NEW.debitorUuid into newHsOfficeDebitor;
|
select * from hs_office_debitor as p where p.uuid = NEW.debitorUuid into newHsOfficeDebitor;
|
||||||
select * from hs_office_bankAccount as c where c.uuid = NEW.bankAccountUuid into newHsOfficeBankAccount;
|
select * from hs_office_bankAccount as c where c.uuid = NEW.bankAccountUuid into newHsOfficeBankAccount;
|
||||||
@ -76,7 +75,6 @@ begin
|
|||||||
raise exception 'invalid usage of TRIGGER';
|
raise exception 'invalid usage of TRIGGER';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
@ -36,7 +36,6 @@ declare
|
|||||||
newBankAccount hs_office_bankaccount;
|
newBankAccount hs_office_bankaccount;
|
||||||
oldBankAccount hs_office_bankaccount;
|
oldBankAccount hs_office_bankaccount;
|
||||||
begin
|
begin
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
|
||||||
|
|
||||||
hsOfficeDebitorTenant := hsOfficeDebitorTenant(NEW);
|
hsOfficeDebitorTenant := hsOfficeDebitorTenant(NEW);
|
||||||
|
|
||||||
@ -146,7 +145,6 @@ begin
|
|||||||
raise exception 'invalid usage of TRIGGER';
|
raise exception 'invalid usage of TRIGGER';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
@ -30,7 +30,6 @@ declare
|
|||||||
newHsOfficePartner hs_office_partner;
|
newHsOfficePartner hs_office_partner;
|
||||||
newHsOfficeDebitor hs_office_debitor;
|
newHsOfficeDebitor hs_office_debitor;
|
||||||
begin
|
begin
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
|
||||||
|
|
||||||
select * from hs_office_partner as p where p.uuid = NEW.partnerUuid into newHsOfficePartner;
|
select * from hs_office_partner as p where p.uuid = NEW.partnerUuid into newHsOfficePartner;
|
||||||
select * from hs_office_debitor as c where c.uuid = NEW.mainDebitorUuid into newHsOfficeDebitor;
|
select * from hs_office_debitor as c where c.uuid = NEW.mainDebitorUuid into newHsOfficeDebitor;
|
||||||
@ -75,7 +74,6 @@ begin
|
|||||||
raise exception 'invalid usage of TRIGGER';
|
raise exception 'invalid usage of TRIGGER';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
@ -29,7 +29,6 @@ create or replace function hsOfficeCoopSharesTransactionRbacRolesTrigger()
|
|||||||
declare
|
declare
|
||||||
newHsOfficeMembership hs_office_membership;
|
newHsOfficeMembership hs_office_membership;
|
||||||
begin
|
begin
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
|
||||||
|
|
||||||
select * from hs_office_membership as p where p.uuid = NEW.membershipUuid into newHsOfficeMembership;
|
select * from hs_office_membership as p where p.uuid = NEW.membershipUuid into newHsOfficeMembership;
|
||||||
|
|
||||||
@ -50,7 +49,6 @@ begin
|
|||||||
raise exception 'invalid usage of TRIGGER';
|
raise exception 'invalid usage of TRIGGER';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
@ -29,7 +29,6 @@ create or replace function hsOfficeCoopAssetsTransactionRbacRolesTrigger()
|
|||||||
declare
|
declare
|
||||||
newHsOfficeMembership hs_office_membership;
|
newHsOfficeMembership hs_office_membership;
|
||||||
begin
|
begin
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
|
||||||
|
|
||||||
select * from hs_office_membership as p where p.uuid = NEW.membershipUuid into newHsOfficeMembership;
|
select * from hs_office_membership as p where p.uuid = NEW.membershipUuid into newHsOfficeMembership;
|
||||||
|
|
||||||
@ -50,7 +49,6 @@ begin
|
|||||||
raise exception 'invalid usage of TRIGGER';
|
raise exception 'invalid usage of TRIGGER';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
@ -25,8 +25,6 @@ databaseChangeLog:
|
|||||||
file: db/changelog/054-rbac-context.sql
|
file: db/changelog/054-rbac-context.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/055-rbac-views.sql
|
file: db/changelog/055-rbac-views.sql
|
||||||
- include:
|
|
||||||
file: db/changelog/056-rbac-trigger-context.sql
|
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/057-rbac-role-builder.sql
|
file: db/changelog/057-rbac-role-builder.sql
|
||||||
- include:
|
- include:
|
||||||
|
@ -455,7 +455,6 @@ public class ImportOfficeData extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
@Order(3000)
|
@Order(3000)
|
||||||
@Commit
|
@Commit
|
||||||
@Disabled
|
|
||||||
void persistEntities() {
|
void persistEntities() {
|
||||||
|
|
||||||
System.out.println("PERSISTING to database '" + jdbcUrl + "' as user '" + postgresAdminUser + "'");
|
System.out.println("PERSISTING to database '" + jdbcUrl + "' as user '" + postgresAdminUser + "'");
|
||||||
@ -886,7 +885,7 @@ public class ImportOfficeData extends ContextBasedTest {
|
|||||||
contractualMissing.add(partner.getPartnerNumber());
|
contractualMissing.add(partner.getPartnerNumber());
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
//assertThat(contractualMissing).isEmpty(); // comment out if we do want to allow missing contractual contact
|
assertThat(contractualMissing).isEmpty(); // comment out if we do want to allow missing contractual contact
|
||||||
}
|
}
|
||||||
private static boolean containsRole(final Record rec, final String role) {
|
private static boolean containsRole(final Record rec, final String role) {
|
||||||
final var roles = rec.getString("roles");
|
final var roles = rec.getString("roles");
|
||||||
|
Loading…
Reference in New Issue
Block a user