introduce separate database-schemas base+rbac #103

Merged
hsh-michaelhoennig merged 54 commits from introduce-separate-database-schemas-base-and-rbac into master 2024-09-16 15:36:38 +02:00
16 changed files with 31 additions and 31 deletions
Showing only changes of commit 6465a2457c - Show all commits

View File

@ -364,7 +364,7 @@ class RolesGrantsAndPermissionsGenerator {
System.out.println("null");
}
if (roleDef.getEntityAlias().isGlobal()) {
return "globalAdmin()";
return "rbac.globalAdmin()";
}
final String entityRefVar = entityRefVar(rootRefVar, roleDef.getEntityAlias());
return roleDef.getEntityAlias().simpleName() + capitalize(roleDef.getRole().name())

View File

@ -30,7 +30,7 @@ create or replace function rbac.isGlobalAdmin()
returns boolean
language plpgsql as $$
begin
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(globalAdmin()));
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(rbac.globalAdmin()));
end; $$;
--//
@ -109,7 +109,7 @@ commit;
/*
A rbac.Global administrator role.
*/
create or replace function globalAdmin(assumed boolean = true)
create or replace function rbac.globalAdmin(assumed boolean = true)
returns rbac.RoleDescriptor
returns null on null input
stable -- leakproof
@ -119,7 +119,7 @@ $$;
begin transaction;
call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
select rbac.createRole(globalAdmin());
select rbac.createRole(rbac.globalAdmin());
commit;
--//
@ -130,7 +130,7 @@ commit;
/*
A rbac.Global guest role.
*/
create or replace function globalGuest(assumed boolean = true)
create or replace function rbac.globalglobalGuest(assumed boolean = true)
returns rbac.RoleDescriptor
returns null on null input
stable -- leakproof
@ -140,7 +140,7 @@ $$;
begin transaction;
call base.defineContext('creating role:rbac.global#global:guest', null, null, null);
select rbac.createRole(globalGuest());
select rbac.createRole(rbac.globalglobalGuest());
commit;
--//
@ -157,7 +157,7 @@ do language plpgsql $$
begin
call base.defineContext('creating fake test-realm admin users', null, null, null);
admins = rbac.findRoleId(globalAdmin());
admins = rbac.findRoleId(rbac.globalAdmin());
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
hsh-michaelhoennig marked this conversation as resolved Outdated

müsste das nicht grantRoleToSubjectUnchecked heißen

müsste das nicht grantRoleToSubjectUnchecked heißen
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants(
testCustomerOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN(rbac.unassumed())],
incomingSuperRoles => array[rbac.globalADMIN(rbac.unassumed())],
subjectUuids => array[rbac.currentSubjectUuid()]
);
@ -96,7 +96,7 @@ do language plpgsql $$
LOOP
call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
globalADMIN());
rbac.globalAdmin());
Review

globalAdmin statt globalADMIN?

globalAdmin statt globalADMIN?

ist nicht case-sensitiv, und da der Teil 'ADMIN' sich auf den Enum-Wert ADMIN von rbac.RoleType bezieht, ist sogar globalADMIN() passender - PostgreSQL speichert es als "globaladmin", da geht also die Groß-/Kleinschreibung ganz verloren, ich lasse das erst einmal so, vor allem weil ich sonst massig Merge-Probleme mit dem nächsten Branch habe

ist nicht case-sensitiv, und da der Teil 'ADMIN' sich auf den Enum-Wert ADMIN von rbac.RoleType bezieht, ist sogar globalADMIN() passender - PostgreSQL speichert es als "globaladmin", da geht also die Groß-/Kleinschreibung ganz verloren, ich lasse das erst einmal so, vor allem weil ich sonst massig Merge-Probleme mit dem nächsten Branch habe
END LOOP;
end;
$$;
@ -112,7 +112,7 @@ begin
-- unconditional for all rows in that table
call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
globalADMIN());
rbac.globalAdmin());
-- end.
return NEW;
end; $$;

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants(
hsOfficeContactOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
incomingSuperRoles => array[rbac.globalAdmin()],
subjectUuids => array[rbac.currentSubjectUuid()]
);

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants(
hsOfficePersonOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
incomingSuperRoles => array[rbac.globalAdmin()],
subjectUuids => array[rbac.currentSubjectUuid()]
);

View File

@ -50,7 +50,7 @@ begin
perform rbac.defineRoleWithGrants(
hsOfficeRelationOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
incomingSuperRoles => array[rbac.globalAdmin()],
subjectUuids => array[rbac.currentSubjectUuid()]
);

View File

@ -173,7 +173,7 @@ do language plpgsql $$
LOOP
call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
globalADMIN());
rbac.globalAdmin());
END LOOP;
end;
$$;
@ -189,7 +189,7 @@ begin
-- unconditional for all rows in that table
call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
globalADMIN());
rbac.globalAdmin());
-- end.
return NEW;
end; $$;

View File

@ -77,7 +77,7 @@ begin
LOOP
call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
globalADMIN());
rbac.globalAdmin());
END LOOP;
end;
$$;
@ -93,7 +93,7 @@ begin
-- unconditional for all rows in that table
call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
globalADMIN());
rbac.globalAdmin());
-- end.
return NEW;
end; $$;

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants(
hsOfficeBankAccountOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
incomingSuperRoles => array[rbac.globalAdmin()],
subjectUuids => array[rbac.currentSubjectUuid()]
);

View File

@ -146,7 +146,7 @@ do language plpgsql $$
LOOP
call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
globalADMIN());
rbac.globalAdmin());
END LOOP;
end;
$$;
@ -162,7 +162,7 @@ begin
-- unconditional for all rows in that table
call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
globalADMIN());
rbac.globalAdmin());
-- end.
return NEW;
end; $$;

View File

@ -50,7 +50,7 @@ begin
perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
incomingSuperRoles => array[rbac.globalAdmin()],
subjectUuids => array[rbac.currentSubjectUuid()]
);

View File

@ -108,7 +108,7 @@ do language plpgsql $$
LOOP
call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
globalADMIN());
rbac.globalAdmin());
END LOOP;
end;
$$;
@ -124,7 +124,7 @@ begin
-- unconditional for all rows in that table
call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
globalADMIN());
rbac.globalAdmin());
-- end.
return NEW;
end; $$;

View File

@ -70,7 +70,7 @@ begin
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
);
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;

View File

@ -69,7 +69,7 @@ begin
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
@ -114,7 +114,7 @@ do language plpgsql $$
LOOP
call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
globalADMIN());
rbac.globalAdmin());
END LOOP;
end;
$$;
@ -130,7 +130,7 @@ begin
-- unconditional for all rows in that table
call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
globalADMIN());
rbac.globalAdmin());
-- end.
return NEW;
end; $$;

View File

@ -69,7 +69,7 @@ begin
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
@ -114,7 +114,7 @@ do language plpgsql $$
LOOP
call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
globalADMIN());
rbac.globalAdmin());
END LOOP;
end;
$$;
@ -130,7 +130,7 @@ begin
-- unconditional for all rows in that table
call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
globalADMIN());
rbac.globalAdmin());
-- end.
return NEW;
end; $$;

View File

@ -50,7 +50,7 @@ begin
hsHostingAssetOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[
globalADMIN(rbac.unassumed()),
rbac.globalADMIN(rbac.unassumed()),
hsBookingItemADMIN(newBookingItem),
hsHostingAssetADMIN(newParentAsset)],
subjectUuids => array[rbac.currentSubjectUuid()]